SYMBOLCOMMON_NAMEaka. SYNONYMS

Lazarus Group  (Back to overview)

aka: Operation DarkSeoul, Dark Seoul, Hidden Cobra, Hastati Group, Andariel, Unit 121, Bureau 121, NewRomanic Cyber Army Team, Bluenoroff, Subgroup: Bluenoroff, Group 77, Labyrinth Chollima, Operation Troy, Operation GhostSecret, Operation AppleJeus, APT38, APT 38, Stardust Chollima, Whois Hacking Team, Zinc, Appleworm, Nickel Academy, APT-C-26, NICKEL GLADSTONE, COVELLITE, ATK3, G0032, ATK117, G0082

Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman.


Associated Families
win.unidentified_101 win.unidentified_090 aix.fastcash apk.badcall apk.hardrain elf.badcall js.quickcafe osx.3cx_backdoor osx.casso osx.dacls osx.manuscrypt osx.rustbucket osx.watchcat osx.yort php.redhat_hacker ps1.powerbrace ps1.powerspritz win.3cx_backdoor win.alphanc win.artfulpie win.bitsran win.blindtoad win.bookcodesrat win.bootwreck win.brambul win.bravonc win.buffetline win.cheesetray win.cleantoad win.crat win.cur1_downloader win.dacls win.deltas win.duuzer win.electricfish win.ghost_rat win.ghost_secret win.gopuram win.hardrain win.hermes win.hoplight win.hotcroissant win.httpsuploader win.iconic_stealer win.joanap win.keymarble win.klackring win.lazardoor win.lazarloader win.op_blockbuster win.power_ratankba win.pslogger win.romeos win.rustbucket win.slickshoes win.touchmove win.unidentified_042 win.veiledsignal win.winordll64 win.anchormtea win.racket win.comebacker win.lcpdot win.webbytea win.cloudburst win.ratankba win.interception win.nestegg win.ratankbapos win.wormhole osx.interception win.bluenoroff osx.poolrat osx.unidentified_001 win.unidentified_077 win.sierras win.contopee win.dyepack win.badcall win.alreay win.darkcomet win.phandoor win.rifdoor win.dtrack win.magic_rat win.vsingle win.bankshot win.banpolmex win.hotwax win.lazarus_killdisk win.nachocheese win.redshawl win.volgmer win.wannacryptor win.coredn win.dratzarus win.lpeclient win.fudmodule win.jessiecontea win.neddnloader win.fuwuqidrama osx.applejeus win.applejeus win.snatchcrypto win.vyveva win.blindingcan win.torisma win.bistromath

References
2023-08-31AhnLabSanseo
@online{sanseo:20230831:analysis:c771be9, author = {Sanseo}, title = {{Analysis of Andariel’s New Attack Activities}}, date = {2023-08-31}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/56405/}, language = {English}, urldate = {2023-09-01} } Analysis of Andariel’s New Attack Activities
Andardoor BlackRemote Tiger RAT Volgmer
2023-08-22AhnLabASEC Analysis Team
@online{team:20230822:analyzing:a2e958c, author = {ASEC Analysis Team}, title = {{Analyzing the new attack activity of the Andariel group}}, date = {2023-08-22}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/56256/}, language = {Korean}, urldate = {2023-08-28} } Analyzing the new attack activity of the Andariel group
Andardoor MimiKatz QuiteRAT Tiger RAT Volgmer
2023-07-05SentinelOnePhil Stokes
@online{stokes:20230705:bluenoroff:15e17f0, author = {Phil Stokes}, title = {{BlueNoroff | How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection}}, date = {2023-07-05}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/}, language = {English}, urldate = {2023-07-08} } BlueNoroff | How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection
RustBucket
2023-06-29ElasticColson Wilhoit, Salim Bitam, Seth Goodwin, Andrew Pease, Ricardo Ungureanu
@online{wilhoit:20230629:dprk:e7dd437, author = {Colson Wilhoit and Salim Bitam and Seth Goodwin and Andrew Pease and Ricardo Ungureanu}, title = {{The DPRK strikes using a new variant of RUSTBUCKET}}, date = {2023-06-29}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket}, language = {English}, urldate = {2023-07-02} } The DPRK strikes using a new variant of RUSTBUCKET
RustBucket
2023-06-08AhnLabASEC Analysis Team
@online{team:20230608:lazarus:e8fb47d, author = {ASEC Analysis Team}, title = {{Lazarus Group exploiting vulnerabilities in domestic financial security solutions}}, date = {2023-06-08}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/53832/}, language = {Korean}, urldate = {2023-06-12} } Lazarus Group exploiting vulnerabilities in domestic financial security solutions
LazarDoor LazarLoader
2023-05-25YouTube (BSidesCharm)Asheer Malhotra
@online{malhotra:20230525:its:a79abe4, author = {Asheer Malhotra}, title = {{it’s all Magic(RAT) – A look into recent North Korean nation-state attacks}}, date = {2023-05-25}, organization = {YouTube (BSidesCharm)}, url = {https://www.youtube.com/watch?v=nUjxH1gW53s}, language = {English}, urldate = {2023-08-28} } it’s all Magic(RAT) – A look into recent North Korean nation-state attacks
MagicRAT VSingle YamaBot
2023-05-22SekoiaJamila B., Kilian Seznec, Charles M.
@online{b:20230522:bluenoroffs:4fd8a5c, author = {Jamila B. and Kilian Seznec and Charles M.}, title = {{Bluenoroff’s RustBucket campaign}}, date = {2023-05-22}, organization = {Sekoia}, url = {https://blog.sekoia.io/bluenoroffs-rustbucket-campaign/}, language = {English}, urldate = {2023-05-30} } Bluenoroff’s RustBucket campaign
RustBucket WebbyTea
2023-05-01JPCERT/CCShusei Tomonaga
@online{tomonaga:20230501:attack:5c3693e, author = {Shusei Tomonaga}, title = {{Attack trends related to the attack campaign DangerousPassword}}, date = {2023-05-01}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2023/05/dangerouspassword.html}, language = {English}, urldate = {2023-07-11} } Attack trends related to the attack campaign DangerousPassword
RustBucket CageyChameleon Cur1Downloader SnatchCrypto
2023-04-24CofenseAustin Jones
@online{jones:20230424:opensource:a0f5347, author = {Austin Jones}, title = {{Open-Source Gh0st RAT Still Haunting Inboxes 15 Years After Release}}, date = {2023-04-24}, organization = {Cofense}, url = {https://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/}, language = {English}, urldate = {2023-04-26} } Open-Source Gh0st RAT Still Haunting Inboxes 15 Years After Release
Ghost RAT
2023-04-21SymantecThreat Hunter Team
@online{team:20230421:xtrader:f5f0e26, author = {Threat Hunter Team}, title = {{X_Trader Supply Chain Attack Affects Critical Infrastructure Organizations in U.S. and Europe}}, date = {2023-04-21}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain}, language = {English}, urldate = {2023-05-26} } X_Trader Supply Chain Attack Affects Critical Infrastructure Organizations in U.S. and Europe
VEILEDSIGNAL
2023-04-21Jamf BlogFerdous Saljooki, Jaron Bradley
@online{saljooki:20230421:bluenoroff:68aef87, author = {Ferdous Saljooki and Jaron Bradley}, title = {{BlueNoroff APT group targets macOS with ‘RustBucket’ Malware}}, date = {2023-04-21}, organization = {Jamf Blog}, url = {https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/}, language = {English}, urldate = {2023-04-25} } BlueNoroff APT group targets macOS with ‘RustBucket’ Malware
RustBucket
2023-04-20ESET ResearchPeter Kálnai, Marc-Etienne M.Léveillé
@online{klnai:20230420:linux:fd293b6, author = {Peter Kálnai and Marc-Etienne M.Léveillé}, title = {{Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack}}, date = {2023-04-20}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack}, language = {English}, urldate = {2023-04-25} } Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack
BADCALL 3CX Backdoor BADCALL IconicStealer
2023-04-203CXAgathocles Prodromou
@online{prodromou:20230420:security:7224e80, author = {Agathocles Prodromou}, title = {{Security Update Thursday 20 April 2023 – Initial Intrusion Vector Found}}, date = {2023-04-20}, organization = {3CX}, url = {https://www.3cx.com/blog/news/mandiant-security-update2/}, language = {English}, urldate = {2023-04-25} } Security Update Thursday 20 April 2023 – Initial Intrusion Vector Found
POOLRAT
2023-04-20MandiantJEFF JOHNSON, Fred Plan, ADRIAN SANCHEZ, RENATO FONTANA, Jake Nicastro, Dimiter Andonov, Marius Fodoreanu, DANIEL SCOTT
@online{johnson:20230420:3cx:9ef2c90, author = {JEFF JOHNSON and Fred Plan and ADRIAN SANCHEZ and RENATO FONTANA and Jake Nicastro and Dimiter Andonov and Marius Fodoreanu and DANIEL SCOTT}, title = {{3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible}}, date = {2023-04-20}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise}, language = {English}, urldate = {2023-04-25} } 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible
POOLRAT IconicStealer
2023-04-18MandiantMandiant
@online{mandiant:20230418:mtrends:af1a28e, author = {Mandiant}, title = {{M-Trends 2023}}, date = {2023-04-18}, organization = {Mandiant}, url = {https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023}, language = {English}, urldate = {2023-04-18} } M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-04-13Intel 471Souhail Hammou, Jorge Rodriguez
@online{hammou:20230413:from:ec710d3, author = {Souhail Hammou and Jorge Rodriguez}, title = {{From GhostNet to PseudoManuscrypt - The evolution of Gh0st RAT}}, date = {2023-04-13}, organization = {Intel 471}, url = {https://www.youtube.com/watch?v=uakw2HMGZ-I}, language = {English}, urldate = {2023-06-23} } From GhostNet to PseudoManuscrypt - The evolution of Gh0st RAT
BBSRAT Gh0stTimes Ghost RAT PseudoManuscrypt
2023-04-12Kaspersky LabsSeongsu Park
@online{park:20230412:following:851b624, author = {Seongsu Park}, title = {{Following the Lazarus group by tracking DeathNote campaign}}, date = {2023-04-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-lazarus-group-deathnote-campaign/109490/}, language = {English}, urldate = {2023-07-28} } Following the Lazarus group by tracking DeathNote campaign
Bankshot BLINDINGCAN LPEClient MimiKatz NedDnLoader Racket Downloader Volgmer
2023-04-03Kaspersky LabsGeorgy Kucherin
@online{kucherin:20230403:not:ddfeb19, author = {Georgy Kucherin}, title = {{Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack}}, date = {2023-04-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344}, language = {English}, urldate = {2023-04-08} } Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack
Gopuram
2023-04-03Youtube (MalwareAnalysisForHedgehogs)Karsten Hahn
@online{hahn:20230403:malware:892e68e, author = {Karsten Hahn}, title = {{Malware Analysis - 3CX SmoothOperator ffmpeg.dll with Binary Ninja}}, date = {2023-04-03}, organization = {Youtube (MalwareAnalysisForHedgehogs)}, url = {https://www.youtube.com/watch?v=fTX-vgSEfjk}, language = {English}, urldate = {2023-04-06} } Malware Analysis - 3CX SmoothOperator ffmpeg.dll with Binary Ninja
3CX Backdoor
2023-04-03Twitter (@kucher1n)Georgy Kucherin
@online{kucherin:20230403:alternative:280883c, author = {Georgy Kucherin}, title = {{Tweet on an alternative Guporam sample}}, date = {2023-04-03}, organization = {Twitter (@kucher1n)}, url = {https://twitter.com/kucher1n/status/1642886340105601029?t=3GCn-ZhDjqWEMXya_PKseg}, language = {English}, urldate = {2023-04-08} } Tweet on an alternative Guporam sample
Gopuram
2023-04-01Github (dodo-sec)dodo-sec
@online{dodosec:20230401:smoothoperator:1aa2e60, author = {dodo-sec}, title = {{SmoothOperator}}, date = {2023-04-01}, organization = {Github (dodo-sec)}, url = {https://github.com/dodo-sec/Malware-Analysis/blob/main/SmoothOperator/SmoothOperator.md}, language = {English}, urldate = {2023-04-03} } SmoothOperator
3CX Backdoor
2023-04-01Objective-SeePatrick Wardle
@online{wardle:20230401:ironing:d7ecebf, author = {Patrick Wardle}, title = {{Ironing out (the macOS) details of a Smooth Operator (Part II)}}, date = {2023-04-01}, organization = {Objective-See}, url = {https://objective-see.org/blog/blog_0x74.html}, language = {English}, urldate = {2023-04-06} } Ironing out (the macOS) details of a Smooth Operator (Part II)
3CX Backdoor
2023-03-31BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20230331:initial:6f10f80, author = {The BlackBerry Research & Intelligence Team}, title = {{Initial Implants and Network Analysis Suggest the 3CX Supply Chain Operation Goes Back to Fall 2022}}, date = {2023-03-31}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2023/03/initial-implants-and-network-analysis-suggest-the-3cx-supply-chain-operation-goes-back-to-fall-2022}, language = {English}, urldate = {2023-04-02} } Initial Implants and Network Analysis Suggest the 3CX Supply Chain Operation Goes Back to Fall 2022
3CX Backdoor
2023-03-31Reversing LabsKarlo Zanki
@online{zanki:20230331:red:61b2c78, author = {Karlo Zanki}, title = {{Red flags flew over software supply chain-compromised 3CX update}}, date = {2023-03-31}, organization = {Reversing Labs}, url = {https://www.reversinglabs.com/blog/red-flags-fly-over-supply-chain-compromised-3cx-update}, language = {English}, urldate = {2023-04-02} } Red flags flew over software supply chain-compromised 3CX update
3CX Backdoor
2023-03-31ZscalerRohit Hegde, Niraj Shivtarkar, Meghraj Nandanwar
@online{hegde:20230331:3cx:7fb285c, author = {Rohit Hegde and Niraj Shivtarkar and Meghraj Nandanwar}, title = {{3CX Supply Chain Attack Campaign Campaign Analysis}}, date = {2023-03-31}, organization = {Zscaler}, url = {https://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023}, language = {English}, urldate = {2023-04-02} } 3CX Supply Chain Attack Campaign Campaign Analysis
3CX Backdoor
2023-03-31vmwareThreat Analysis Unit
@online{unit:20230331:investigating:bf45200, author = {Threat Analysis Unit}, title = {{Investigating 3CX Desktop Application Attacks: What You Need to Know}}, date = {2023-03-31}, organization = {vmware}, url = {https://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html}, language = {English}, urldate = {2023-04-02} } Investigating 3CX Desktop Application Attacks: What You Need to Know
3CX Backdoor
2023-03-31cybleCyble
@online{cyble:20230331:comprehensive:39bc743, author = {Cyble}, title = {{A Comprehensive Analysis of the 3CX Attack}}, date = {2023-03-31}, organization = {cyble}, url = {https://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack}, language = {English}, urldate = {2023-04-02} } A Comprehensive Analysis of the 3CX Attack
3CX Backdoor
2023-03-31Group-IBGroup-IB
@online{groupib:20230331:36gate:9107003, author = {Group-IB}, title = {{36gate: supply chain attack}}, date = {2023-03-31}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter&utm_campaign=3cx-blog&utm_medium=social}, language = {English}, urldate = {2023-04-02} } 36gate: supply chain attack
3CX Backdoor
2023-03-31splunkSplunk Threat Research Team
@online{team:20230331:splunk:38f1f9f, author = {Splunk Threat Research Team}, title = {{Splunk Insights: Investigating the 3CXDesktopApp Supply Chain Compromise}}, date = {2023-03-31}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html}, language = {English}, urldate = {2023-04-02} } Splunk Insights: Investigating the 3CXDesktopApp Supply Chain Compromise
3CX Backdoor
2023-03-30Huntress LabsJohn Hammond
@online{hammond:20230330:3cx:bba6690, author = {John Hammond}, title = {{3CX VoIP Software Compromise & Supply Chain Threats}}, date = {2023-03-30}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats}, language = {English}, urldate = {2023-04-02} } 3CX VoIP Software Compromise & Supply Chain Threats
3CX Backdoor
2023-03-30VolexityAnkur Saini, Callum Roxan, Charlie Gardner, Paul Rascagnères, Steven Adair, Thomas Lancaster
@online{saini:20230330:3cx:82b291e, author = {Ankur Saini and Callum Roxan and Charlie Gardner and Paul Rascagnères and Steven Adair and Thomas Lancaster}, title = {{3CX Supply Chain Compromise Leads to ICONIC Incident}}, date = {2023-03-30}, organization = {Volexity}, url = {https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/}, language = {English}, urldate = {2023-03-30} } 3CX Supply Chain Compromise Leads to ICONIC Incident
3CX Backdoor IconicStealer
2023-03-30Rapid7 LabsRapid7
@online{rapid7:20230330:backdoored:9d84780, author = {Rapid7}, title = {{Backdoored 3CXDesktopApp Installer Used in Active Threat Campaign}}, date = {2023-03-30}, organization = {Rapid7 Labs}, url = {https://www.rapid7.com/blog/post/2023/03/30/backdoored-3cxdesktopapp-installer-used-in-active-threat-campaign/}, language = {English}, urldate = {2023-04-02} } Backdoored 3CXDesktopApp Installer Used in Active Threat Campaign
3CX Backdoor
2023-03-30SymantecThreat Hunter Team
@online{team:20230330:3cx:fb5b214, author = {Threat Hunter Team}, title = {{3CX: Supply Chain Attack Affects Thousands of Users Worldwide}}, date = {2023-03-30}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack}, language = {English}, urldate = {2023-04-02} } 3CX: Supply Chain Attack Affects Thousands of Users Worldwide
3CX Backdoor IconicStealer
2023-03-30FortiguardFortiGuard Labs
@online{labs:20230330:3cx:32dbee5, author = {FortiGuard Labs}, title = {{3CX Desktop App Compromised (CVE-2023-29059)}}, date = {2023-03-30}, organization = {Fortiguard}, url = {https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised}, language = {English}, urldate = {2023-04-02} } 3CX Desktop App Compromised (CVE-2023-29059)
3CX Backdoor
2023-03-30Trend MicroTrend Micro Research
@online{research:20230330:developing:2895b8a, author = {Trend Micro Research}, title = {{Developing Story: Information on Attacks Involving 3CX Desktop App}}, date = {2023-03-30}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html}, language = {English}, urldate = {2023-04-02} } Developing Story: Information on Attacks Involving 3CX Desktop App
3CX Backdoor IconicStealer
2023-03-30CrowdStrikeCS ENGINEER
@online{engineer:20230330:20230329:49be400, author = {CS ENGINEER}, title = {{2023-03-29 // SITUATIONAL AWARENESS // CrowdStrike Tracking Active Intrusion Campaign Targeting 3CX Customers}}, date = {2023-03-30}, organization = {CrowdStrike}, url = {https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/}, language = {English}, urldate = {2023-04-02} } 2023-03-29 // SITUATIONAL AWARENESS // CrowdStrike Tracking Active Intrusion Campaign Targeting 3CX Customers
3CX Backdoor
2023-03-30Cado SecurityCado Security
@online{security:20230330:forensic:77e03e1, author = {Cado Security}, title = {{Forensic Triage of a Windows System running the Backdoored 3CX Desktop App}}, date = {2023-03-30}, organization = {Cado Security}, url = {https://www.cadosecurity.com/forensic-triage-of-a-windows-system-running-the-backdoored-3cx-desktop-app/}, language = {English}, urldate = {2023-04-02} } Forensic Triage of a Windows System running the Backdoored 3CX Desktop App
3CX Backdoor
2023-03-30ElasticDaniel Stepanic, Remco Sprooten, Joe Desimone, Samir Bousseaden, Devon Kerr
@online{stepanic:20230330:elastic:8671074, author = {Daniel Stepanic and Remco Sprooten and Joe Desimone and Samir Bousseaden and Devon Kerr}, title = {{Elastic users protected from SUDDENICON’s supply chain attack}}, date = {2023-03-30}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack}, language = {English}, urldate = {2023-04-02} } Elastic users protected from SUDDENICON’s supply chain attack
3CX Backdoor
2023-03-30OALabsSergei Frankoff
@online{frankoff:20230330:3cx:244fb6e, author = {Sergei Frankoff}, title = {{3CX Supply Chain Attack}}, date = {2023-03-30}, organization = {OALabs}, url = {https://research.openanalysis.net/3cx/northkorea/apt/triage/2023/03/30/3cx-malware.html#Functionality}, language = {English}, urldate = {2023-04-06} } 3CX Supply Chain Attack
3CX Backdoor
2023-03-29CrowdStrikeResearch & Threat Intel
@online{intel:20230329:crowdstrike:cafb1f8, author = {Research & Threat Intel}, title = {{CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers}}, date = {2023-03-29}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/}, language = {English}, urldate = {2023-03-30} } CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers
3CX Backdoor
2023-03-29SentinelOneJuan Andrés Guerrero-Saade
@online{guerrerosaade:20230329:smoothoperator:42df1eb, author = {Juan Andrés Guerrero-Saade}, title = {{SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack}}, date = {2023-03-29}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/}, language = {English}, urldate = {2023-03-30} } SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack
3CX Backdoor
2023-03-29Objective-SeePatrick Wardle
@online{wardle:20230329:ironing:7faf1d3, author = {Patrick Wardle}, title = {{Ironing out (the macOS details) of a Smooth Operator}}, date = {2023-03-29}, organization = {Objective-See}, url = {https://objective-see.org/blog/blog_0x73.html}, language = {English}, urldate = {2023-04-02} } Ironing out (the macOS details) of a Smooth Operator
3CX Backdoor
2023-03-20SecurityIntelligenceJohn Dwyer
@online{dwyer:20230320:when:3f1345c, author = {John Dwyer}, title = {{When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule}}, date = {2023-03-20}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/defensive-considerations-lazarus-fudmodule/}, language = {English}, urldate = {2023-03-21} } When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule
FudModule
2023-03-09MandiantMandiant Intelligence
@online{intelligence:20230309:stealing:649068b, author = {Mandiant Intelligence}, title = {{Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW}}, date = {2023-03-09}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/lightshift-and-lightshow}, language = {English}, urldate = {2023-07-05} } Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW
FudModule
2023-03-09MandiantMandiant Intelligence
@online{intelligence:20230309:stealing:3112fc7, author = {Mandiant Intelligence}, title = {{Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970}}, date = {2023-03-09}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970}, language = {English}, urldate = {2023-03-13} } Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970
CLOUDBURST TOUCHMOVE TOUCHSHIFT
2023-02-23BitdefenderMartin Zugec, Bitdefender Team
@online{zugec:20230223:technical:710242c, author = {Martin Zugec and Bitdefender Team}, title = {{Technical Advisory: Various Threat Actors Targeting ManageEngine Exploit CVE-2022-47966}}, date = {2023-02-23}, organization = {Bitdefender}, url = {https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966}, language = {English}, urldate = {2023-08-25} } Technical Advisory: Various Threat Actors Targeting ManageEngine Exploit CVE-2022-47966
Cobalt Strike DarkComet QuiteRAT RATel
2023-02-23ESET ResearchVladislav Hrčka
@online{hrka:20230223:winordll64:73e8cbf, author = {Vladislav Hrčka}, title = {{WinorDLL64: A backdoor from the vast Lazarus arsenal?}}, date = {2023-02-23}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/}, language = {English}, urldate = {2023-02-27} } WinorDLL64: A backdoor from the vast Lazarus arsenal?
WinorDLL64
2023-02-21SecurityIntelligenceRuben Boonen
@online{boonen:20230221:direct:6f70379, author = {Ruben Boonen}, title = {{Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers}}, date = {2023-02-21}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/direct-kernel-object-manipulation-attacks-etw-providers/}, language = {English}, urldate = {2023-03-21} } Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers
FudModule
2023-02-09NSA, FBI, CISA, HHS, ROK, DSA
@techreport{nsa:20230209:stopransomware:87d3a94, author = {NSA and FBI and CISA and HHS and ROK and DSA}, title = {{#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities}}, date = {2023-02-09}, institution = {}, url = {https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF}, language = {English}, urldate = {2023-08-25} } #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
Dtrack MagicRAT Maui Ransomware SiennaBlue SiennaPurple Tiger RAT YamaBot
2023-02-02WithSecureSami Ruohonen, Stephen Robinson
@techreport{ruohonen:20230202:no:2a5fce3, author = {Sami Ruohonen and Stephen Robinson}, title = {{No Pineapple! –DPRK Targeting of Medical Research and Technology Sector}}, date = {2023-02-02}, institution = {WithSecure}, url = {https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf}, language = {English}, urldate = {2023-08-25} } No Pineapple! –DPRK Targeting of Medical Research and Technology Sector
Dtrack GREASE QuiteRAT
2023-01-05AttackIQFrancis Guibernau, Ken Towne
@online{guibernau:20230105:emulating:04eb5ed, author = {Francis Guibernau and Ken Towne}, title = {{Emulating the Highly Sophisticated North Korean Adversary Lazarus Group}}, date = {2023-01-05}, organization = {AttackIQ}, url = {https://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/}, language = {English}, urldate = {2023-01-10} } Emulating the Highly Sophisticated North Korean Adversary Lazarus Group
MagicRAT Tiger RAT
2022-12-27KasperskySeongsu Park
@online{park:20221227:bluenoroff:383c86f, author = {Seongsu Park}, title = {{BlueNoroff introduces new methods bypassing MoTW}}, date = {2022-12-27}, organization = {Kaspersky}, url = {https://securelist.com/bluenoroff-methods-bypass-motw/108383/}, language = {English}, urldate = {2023-06-29} } BlueNoroff introduces new methods bypassing MoTW
LazarLoader Unidentified 101 (Lazarus?)
2022-12-20K7 SecurityMellvin S
@online{s:20221220:lazarus:41a5f95, author = {Mellvin S}, title = {{Lazarus APT’s Operation Interception Uses Signed Binary}}, date = {2022-12-20}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary/}, language = {English}, urldate = {2022-12-29} } Lazarus APT’s Operation Interception Uses Signed Binary
Interception
2022-12-16SekoiaThreat & Detection Research Team, Jamila B.
@online{team:20221216:dprk:4abe047, author = {Threat & Detection Research Team and Jamila B.}, title = {{The DPRK delicate sound of cyber}}, date = {2022-12-16}, organization = {Sekoia}, url = {https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/}, language = {English}, urldate = {2023-09-18} } The DPRK delicate sound of cyber
AppleJeus AppleJeus SnatchCrypto
2022-11-29QianxinRed Raindrop Team
@online{team:20221129:job:1749e9c, author = {Red Raindrop Team}, title = {{Job hunting trap: Analysis of Lazarus attack activities using recruitment information such as Mizuho Bank of Japan as bait}}, date = {2022-11-29}, organization = {Qianxin}, url = {https://mp.weixin.qq.com/s/nnLqUBPX8xZ3hCr5u-iSjQ}, language = {Chinese}, urldate = {2023-07-11} } Job hunting trap: Analysis of Lazarus attack activities using recruitment information such as Mizuho Bank of Japan as bait
CageyChameleon Cur1Downloader
2022-11-23Twitter (@RedDrip7)RedDrip Team
@online{team:20221123:tweets:726f590, author = {RedDrip Team}, title = {{Tweets about potential Lazarus sample}}, date = {2022-11-23}, organization = {Twitter (@RedDrip7)}, url = {https://twitter.com/RedDrip7/status/1595365451495706624}, language = {English}, urldate = {2022-12-20} } Tweets about potential Lazarus sample
Unidentified 101 (Lazarus?)
2022-11-21vmwareThreat Analysis Unit
@online{unit:20221121:threat:7972abc, author = {Threat Analysis Unit}, title = {{Threat Analysis: Active C2 Discovery Using Protocol Emulation Part4 (Dacls, aka MATA)}}, date = {2022-11-21}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/11/threat-analysis-active-c2-discovery-using-protocol-emulation-part4-dacls-aka-mata.html}, language = {English}, urldate = {2022-11-28} } Threat Analysis: Active C2 Discovery Using Protocol Emulation Part4 (Dacls, aka MATA)
Dacls
2022-11-15Kaspersky LabsKonstantin Zykov, Jornt van der Wiel
@online{zykov:20221115:dtrack:9f8ed2a, author = {Konstantin Zykov and Jornt van der Wiel}, title = {{DTrack activity targeting Europe and Latin America}}, date = {2022-11-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/dtrack-targeting-europe-latin-america/107798/}, language = {English}, urldate = {2022-11-18} } DTrack activity targeting Europe and Latin America
Dtrack
2022-10-24AhnLabASEC Analysis Team
@online{team:20221024:malware:495a611, author = {ASEC Analysis Team}, title = {{Malware infection case of Lazarus attack group that neutralizes antivirus program with BYOVD technique}}, date = {2022-10-24}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/40495/}, language = {Korean}, urldate = {2022-10-25} } Malware infection case of Lazarus attack group that neutralizes antivirus program with BYOVD technique
LazarDoor
2022-09-30Virus BulletinPeter Kálnai, Matěj Havránek
@techreport{klnai:20220930:lazarus:efbd75d, author = {Peter Kálnai and Matěj Havránek}, title = {{Lazarus & BYOVD: evil to the Windows core}}, date = {2022-09-30}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf}, language = {English}, urldate = {2023-07-11} } Lazarus & BYOVD: evil to the Windows core
FudModule
2022-09-30ESET ResearchPeter Kálnai
@online{klnai:20220930:amazonthemed:bf959b5, author = {Peter Kálnai}, title = {{Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium}}, date = {2022-09-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/}, language = {English}, urldate = {2023-07-05} } Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
BLINDINGCAN FudModule HTTP(S) uploader TOUCHMOVE
2022-09-29MicrosoftMicrosoft Security Threat Intelligence, LinkedIn Threat Prevention and Defense
@online{intelligence:20220929:zinc:4b8e6c0, author = {Microsoft Security Threat Intelligence and LinkedIn Threat Prevention and Defense}, title = {{ZINC weaponizing open-source software}}, date = {2022-09-29}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/}, language = {English}, urldate = {2023-08-11} } ZINC weaponizing open-source software
CLOUDBURST
2022-09-26SentinelOneDinesh Devadoss, Phil Stokes
@online{devadoss:20220926:lazarus:36bd682, author = {Dinesh Devadoss and Phil Stokes}, title = {{Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in Crypto}}, date = {2022-09-26}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto}, language = {English}, urldate = {2023-08-13} } Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in Crypto
Interception
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220926:anatomy:248e6ff, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 3: Input/Output Controls}}, date = {2022-09-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/}, language = {English}, urldate = {2022-09-29} } The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-09-22AhnLabAhnLab ASEC Analysis Team
@techreport{team:20220922:analysis:9dea34b, author = {AhnLab ASEC Analysis Team}, title = {{Analysis Report on Lazarus Group's Rootkit Attack Using BYOVD}}, date = {2022-09-22}, institution = {AhnLab}, url = {https://asec.ahnlab.com/wp-content/uploads/2022/09/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD_Sep-22-2022.pdf}, language = {English}, urldate = {2022-12-29} } Analysis Report on Lazarus Group's Rootkit Attack Using BYOVD
FudModule
2022-09-15SymantecThreat Hunter Team
@online{team:20220915:webworm:500c850, author = {Threat Hunter Team}, title = {{Webworm: Espionage Attackers Testing and Using Older Modified RATs}}, date = {2022-09-15}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats}, language = {English}, urldate = {2022-09-20} } Webworm: Espionage Attackers Testing and Using Older Modified RATs
9002 RAT Ghost RAT Trochilus RAT
2022-09-14Mandiantmacla, Mathew Potaczek, Nino Isakovic, Matt Williams, Yash Gupta
@online{macla:20220914:its:1d63d78, author = {macla and Mathew Potaczek and Nino Isakovic and Matt Williams and Yash Gupta}, title = {{It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp}}, date = {2022-09-14}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing}, language = {English}, urldate = {2022-09-19} } It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp
BLINDINGCAN
2022-09-10Malversegreenplan
@online{greenplan:20220910:realizziamo:2eaa6a4, author = {greenplan}, title = {{Realizziamo un C&C Server in Python (Bankshot)}}, date = {2022-09-10}, organization = {Malverse}, url = {https://malverse.it/analisi-bankshot-copperhedge}, language = {Italian}, urldate = {2022-09-26} } Realizziamo un C&C Server in Python (Bankshot)
Bankshot
2022-09-08Cisco TalosJung soo An, Asheer Malhotra, Vitor Ventura
@online{an:20220908:lazarus:236b4b4, author = {Jung soo An and Asheer Malhotra and Vitor Ventura}, title = {{Lazarus and the tale of three RATs}}, date = {2022-09-08}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html}, language = {English}, urldate = {2023-01-19} } Lazarus and the tale of three RATs
MagicRAT MimiKatz VSingle YamaBot
2022-09-07Cisco TalosJung soo An, Asheer Malhotra, Vitor Ventura
@online{an:20220907:magicrat:efb6a3d, author = {Jung soo An and Asheer Malhotra and Vitor Ventura}, title = {{MagicRAT: Lazarus’ latest gateway into victim networks}}, date = {2022-09-07}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html}, language = {English}, urldate = {2022-09-16} } MagicRAT: Lazarus’ latest gateway into victim networks
MagicRAT Tiger RAT
2022-08-16Twitter (@ESETresearch)Peter Kálnai, Dominik Breitenbacher
@online{klnai:20220816:twitter:cb6878b, author = {Peter Kálnai and Dominik Breitenbacher}, title = {{Twitter thread about Operation In(ter)ception for macOS}}, date = {2022-08-16}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1559553324998955010}, language = {English}, urldate = {2023-08-14} } Twitter thread about Operation In(ter)ception for macOS
Interception
2022-08-13YoutTube (Blue Team Village)Seongsu Park
@online{park:20220813:attribution:a689611, author = {Seongsu Park}, title = {{Attribution and Bias: My terrible mistakes in threat intelligence attribution}}, date = {2022-08-13}, organization = {YoutTube (Blue Team Village)}, url = {https://www.youtube.com/watch?v=rjA0Vf75cYk}, language = {English}, urldate = {2022-09-19} } Attribution and Bias: My terrible mistakes in threat intelligence attribution
AppleJeus Olympic Destroyer
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220812:anatomy:b13ce32, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}}, date = {2022-08-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/}, language = {English}, urldate = {2023-01-19} } The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-08-09KasperskyKurt Baumgartner, Seongsu Park
@online{baumgartner:20220809:andariel:89d6b24, author = {Kurt Baumgartner and Seongsu Park}, title = {{Andariel deploys DTrack and Maui ransomware}}, date = {2022-08-09}, organization = {Kaspersky}, url = {https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/}, language = {English}, urldate = {2022-08-11} } Andariel deploys DTrack and Maui ransomware
Dtrack Maui Ransomware
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:iron:f7586c5, author = {Unit 42}, title = {{Iron Taurus}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/iron-taurus/}, language = {English}, urldate = {2022-07-29} } Iron Taurus
CHINACHOPPER Ghost RAT Wonknu ZXShell APT27
2022-07-05JPCERT/CCShusei Tomonaga
@online{tomonaga:20220705:vsingle:85138e2, author = {Shusei Tomonaga}, title = {{VSingle malware that obtains C2 server information from GitHub}}, date = {2022-07-05}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2022/07/vsingle.html}, language = {English}, urldate = {2022-07-05} } VSingle malware that obtains C2 server information from GitHub
VSingle
2022-06-21Cisco TalosFlavio Costa, Chris Neal, Guilherme Venere
@online{costa:20220621:avos:b60a2ad, author = {Flavio Costa and Chris Neal and Guilherme Venere}, title = {{Avos ransomware group expands with new attack arsenal}}, date = {2022-06-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html}, language = {English}, urldate = {2022-06-22} } Avos ransomware group expands with new attack arsenal
AvosLocker Cobalt Strike DarkComet MimiKatz
2022-05-23Trend MicroDaniel Lunghi, Jaromír Hořejší
@techreport{lunghi:20220523:operation:e3c402b, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Operation Earth Berberoka}}, date = {2022-05-23}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf}, language = {English}, urldate = {2022-07-25} } Operation Earth Berberoka
reptile oRAT Ghost RAT PlugX pupy Earth Berberoka
2022-05-09cocomelonccocomelonc
@online{cocomelonc:20220509:malware:1cdee23, author = {cocomelonc}, title = {{Malware development: persistence - part 4. Windows services. Simple C++ example.}}, date = {2022-05-09}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu
2022-05-05NCC GroupMichael Matthews, Nikolaos Pantazopoulos
@online{matthews:20220505:north:22bd1ef, author = {Michael Matthews and Nikolaos Pantazopoulos}, title = {{North Korea’s Lazarus: their initial access trade-craft using social media and social engineering}}, date = {2022-05-05}, organization = {NCC Group}, url = {https://research.nccgroup.com/2022/05/05/north-koreas-lazarus-and-their-initial-access-trade-craft-using-social-media-and-social-engineering/}, language = {English}, urldate = {2022-05-05} } North Korea’s Lazarus: their initial access trade-craft using social media and social engineering
LCPDot
2022-04-27SymantecThreat Hunter Team
@online{team:20220427:stonefly:15dabdd, author = {Threat Hunter Team}, title = {{Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets}}, date = {2022-04-27}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage}, language = {English}, urldate = {2023-08-28} } Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets
Dtrack VSingle
2022-04-27Trend MicroDaniel Lunghi, Jaromír Hořejší
@online{lunghi:20220427:new:9068f6e, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware}}, date = {2022-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html}, language = {English}, urldate = {2023-04-18} } New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware
HelloBot AsyncRAT Ghost RAT HelloBot PlugX Quasar RAT Earth Berberoka
2022-04-27TrendmicroDaniel Lunghi, Jaromír Hořejší
@techreport{lunghi:20220427:operation:bdba881, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Operation Gambling Puppet}}, date = {2022-04-27}, institution = {Trendmicro}, url = {https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf}, language = {English}, urldate = {2022-07-25} } Operation Gambling Puppet
reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka
2022-04-26Trend MicroRyan Flores, Stephen Hilt, Lord Alfred Remorin
@online{flores:20220426:how:28d9476, author = {Ryan Flores and Stephen Hilt and Lord Alfred Remorin}, title = {{How Cybercriminals Abuse Cloud Tunneling Services}}, date = {2022-04-26}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services}, language = {English}, urldate = {2022-05-03} } How Cybercriminals Abuse Cloud Tunneling Services
AsyncRAT Cobalt Strike DarkComet Meterpreter Nanocore RAT
2022-04-18CISACISA, U.S. Department of the Treasury, FBI
@techreport{cisa:20220418:aa22108a:a0a81c6, author = {CISA and U.S. Department of the Treasury and FBI}, title = {{AA22-108A: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (PDF)}}, date = {2022-04-18}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf}, language = {English}, urldate = {2022-04-20} } AA22-108A: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (PDF)
FastCash Bankshot
2022-04-18CISACISA, FBI, U.S. Department of the Treasury
@online{cisa:20220418:alert:dcc72c0, author = {CISA and FBI and U.S. Department of the Treasury}, title = {{Alert (AA22-108A): TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies}}, date = {2022-04-18}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-108a}, language = {English}, urldate = {2022-04-25} } Alert (AA22-108A): TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies
Bankshot
2022-04-15Center for Internet SecurityCIS
@online{cis:20220415:top:62c8245, author = {CIS}, title = {{Top 10 Malware March 2022}}, date = {2022-04-15}, organization = {Center for Internet Security}, url = {https://www.cisecurity.org/insights/blog/top-10-malware-march-2022}, language = {English}, urldate = {2023-02-17} } Top 10 Malware March 2022
Mirai Shlayer Agent Tesla Ghost RAT Nanocore RAT SectopRAT solarmarker Zeus
2022-04-14SymantecThreat Hunter Team
@online{team:20220414:lazarus:8e13a88, author = {Threat Hunter Team}, title = {{Lazarus Targets Chemical Sector}}, date = {2022-04-14}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical}, language = {English}, urldate = {2023-07-08} } Lazarus Targets Chemical Sector
Racket Downloader
2022-04-01The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220401:chinese:0b445c6, author = {Ravie Lakshmanan}, title = {{Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit}}, date = {2022-04-01}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html}, language = {English}, urldate = {2022-04-04} } Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit
Fire Chili Ghost RAT
2022-03-31KasperskyGReAT
@online{great:20220331:lazarus:540b96e, author = {GReAT}, title = {{Lazarus Trojanized DeFi app for delivering malware}}, date = {2022-03-31}, organization = {Kaspersky}, url = {https://securelist.com/lazarus-trojanized-defi-app/106195/}, language = {English}, urldate = {2023-07-28} } Lazarus Trojanized DeFi app for delivering malware
JessieConTea LCPDot
2022-03-30FortinetRotem Sde-Or, Eliran Voronovitch
@online{sdeor:20220330:new:8eeff0d, author = {Rotem Sde-Or and Eliran Voronovitch}, title = {{New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits}}, date = {2022-03-30}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits}, language = {English}, urldate = {2022-03-31} } New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
Fire Chili Ghost RAT
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-03-16AhnLabASEC Analysis Team
@online{team:20220316:gh0stcringe:65e2d3e, author = {ASEC Analysis Team}, title = {{Gh0stCringe RAT Being Distributed to Vulnerable Database Servers}}, date = {2022-03-16}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/32572/}, language = {English}, urldate = {2022-04-14} } Gh0stCringe RAT Being Distributed to Vulnerable Database Servers
Ghost RAT Kingminer
2022-03-01Github (0xZuk0)Dipankar Lama
@techreport{lama:20220301:malware:865ab35, author = {Dipankar Lama}, title = {{Malware Analysis Report: WannaCry Ransomware}}, date = {2022-03-01}, institution = {Github (0xZuk0)}, url = {https://github.com/0xZuk0/rules-of-yaras/blob/main/reports/Wannacry%20Ransomware%20Report.pdf}, language = {English}, urldate = {2022-03-07} } Malware Analysis Report: WannaCry Ransomware
WannaCryptor
2022-02-11Cisco TalosTalos
@online{talos:20220211:threat:fcad762, author = {Talos}, title = {{Threat Roundup for February 4 to February 11}}, date = {2022-02-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html}, language = {English}, urldate = {2022-02-14} } Threat Roundup for February 4 to February 11
DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus
2022-02-09Sentinel LABSTom Hegel
@online{hegel:20220209:modifiedelephant:b004138, author = {Tom Hegel}, title = {{ModifiedElephant APT and a Decade of Fabricating Evidence}}, date = {2022-02-09}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/}, language = {English}, urldate = {2022-02-14} } ModifiedElephant APT and a Decade of Fabricating Evidence
DarkComet Incubator NetWire RC ModifiedElephant
2022-02-09SentinelOneTom Hegel, Juan Andrés Guerrero-Saade
@techreport{hegel:20220209:modified:3c039c6, author = {Tom Hegel and Juan Andrés Guerrero-Saade}, title = {{Modified Elephant APT and a Decade of Fabricating Evidence}}, date = {2022-02-09}, institution = {SentinelOne}, url = {https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf}, language = {English}, urldate = {2022-02-14} } Modified Elephant APT and a Decade of Fabricating Evidence
DarkComet Incubator NetWire RC
2022-01-31Cyber GeeksVlad Pasca
@online{pasca:20220131:detailed:262ea52, author = {Vlad Pasca}, title = {{A Detailed Analysis Of Lazarus APT Malware Disguised As Notepad++ Shell Extension}}, date = {2022-01-31}, organization = {Cyber Geeks}, url = {https://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/}, language = {English}, urldate = {2023-07-24} } A Detailed Analysis Of Lazarus APT Malware Disguised As Notepad++ Shell Extension
AnchorMTea
2022-01-13Kaspersky LabsSeongsu Park, Vitaly Kamluk
@online{park:20220113:bluenoroff:a3ce5e4, author = {Seongsu Park and Vitaly Kamluk}, title = {{The BlueNoroff cryptocurrency hunt is still on}}, date = {2022-01-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/}, language = {English}, urldate = {2023-08-10} } The BlueNoroff cryptocurrency hunt is still on
CageyChameleon SnatchCrypto WebbyTea
2021-12-14Trend MicroNick Dai, Ted Lee, Vickie Su
@online{dai:20211214:collecting:3d6dd34, author = {Nick Dai and Ted Lee and Vickie Su}, title = {{Collecting In the Dark: Tropic Trooper Targets Transportation and Government}}, date = {2021-12-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html}, language = {English}, urldate = {2022-03-30} } Collecting In the Dark: Tropic Trooper Targets Transportation and Government
ChiserClient Ghost RAT Lilith Quasar RAT xPack
2021-12ThreatBookThreatBook
@techreport{threatbook:202112:lazarus:63ddb59, author = {ThreatBook}, title = {{The Lazarus Group suspected of expanding its arsenal? The hackers target aviation industry and researchers}}, date = {2021-12}, institution = {ThreatBook}, url = {http://report.threatbook.cn/LS.pdf}, language = {Chinese}, urldate = {2023-07-24} } The Lazarus Group suspected of expanding its arsenal? The hackers target aviation industry and researchers
AnchorMTea
2021-11-10AhnLabASEC Analysis Team
@techreport{team:20211110:analysis:9630125, author = {ASEC Analysis Team}, title = {{Analysis Report of Lazarus Group’s NukeSped Malware}}, date = {2021-11-10}, institution = {AhnLab}, url = {https://asec.ahnlab.com/wp-content/uploads/2021/11/Lazarus-%EA%B7%B8%EB%A3%B9%EC%9D%98-NukeSped-%EC%95%85%EC%84%B1%EC%BD%94%EB%93%9C-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C.pdf}, language = {Korean}, urldate = {2023-08-17} } Analysis Report of Lazarus Group’s NukeSped Malware
DarkComet Tiger RAT
2021-10-11TelsyTelsy
@online{telsy:20211011:lazarus:7e07a1e, author = {Telsy}, title = {{Lazarus Group continues AppleJeus Operation}}, date = {2021-10-11}, organization = {Telsy}, url = {https://www.telsy.com/download/5394/?uid=28b0a4577e}, language = {English}, urldate = {2021-10-26} } Lazarus Group continues AppleJeus Operation
AppleJeus
2021-10-08Virus BulletinSeongsu Park
@techreport{park:20211008:multiuniverse:87fc078, author = {Seongsu Park}, title = {{Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections}}, date = {2021-10-08}, institution = {Virus Bulletin}, url = {https://vblocalhost.com/uploads/VB2021-Park.pdf}, language = {English}, urldate = {2023-07-24} } Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections
Dacls AppleJeus AppleJeus Bankshot BookCodes RAT Dacls DRATzarus LCPDot LPEClient
2021-10-07Virus BulletinTaewoo Lee, Dongwook Kim, Byeongjae Kim
@techreport{lee:20211007:operation:0e74d68, author = {Taewoo Lee and Dongwook Kim and Byeongjae Kim}, title = {{Operation Bookcodes – targeting South Korea}}, date = {2021-10-07}, institution = {Virus Bulletin}, url = {https://vblocalhost.com/uploads/VB2021-Lee-etal.pdf}, language = {English}, urldate = {2023-07-24} } Operation Bookcodes – targeting South Korea
BookCodes RAT LPEClient
2021-10-05BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20211005:drawing:e53477d, author = {The BlackBerry Research & Intelligence Team}, title = {{Drawing a Dragon: Connecting the Dots to Find APT41}}, date = {2021-10-05}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41}, language = {English}, urldate = {2021-10-11} } Drawing a Dragon: Connecting the Dots to Find APT41
Cobalt Strike Ghost RAT
2021-10-04JPCERT/CCShusei Tomonaga
@online{tomonaga:20211004:malware:5ba808a, author = {Shusei Tomonaga}, title = {{Malware Gh0stTimes Used by BlackTech}}, date = {2021-10-04}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html}, language = {English}, urldate = {2021-10-11} } Malware Gh0stTimes Used by BlackTech
Gh0stTimes Ghost RAT
2021-09-07LIFARSVlad Pasca
@techreport{pasca:20210907:detailed:2e29866, author = {Vlad Pasca}, title = {{A Detailed Analysis of Lazarus’ RAT Called FALLCHILL}}, date = {2021-09-07}, institution = {LIFARS}, url = {https://lifars.com/wp-content/uploads/2021/09/Lazarus.pdf}, language = {English}, urldate = {2022-01-20} } A Detailed Analysis of Lazarus’ RAT Called FALLCHILL
Volgmer
2021-09-06cocomelonccocomelonc
@online{cocomelonc:20210906:av:215e5aa, author = {cocomelonc}, title = {{AV engines evasion for C++ simple malware: part 2}}, date = {2021-09-06}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html}, language = {English}, urldate = {2023-07-24} } AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor AnchorMTea Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze
2021-09-04cocomelonccocomelonc
@online{cocomelonc:20210904:av:06b27c5, author = {cocomelonc}, title = {{AV engines evasion for C++ simple malware: part 1}}, date = {2021-09-04}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html}, language = {English}, urldate = {2022-11-28} } AV engines evasion for C++ simple malware: part 1
4h_rat Azorult BADCALL BadNews BazarBackdoor Cardinal RAT
2021-08-22Malware and StuffAndreas Klopsch
@online{klopsch:20210822:peb:c8b9cea, author = {Andreas Klopsch}, title = {{PEB: Where Magic Is Stored}}, date = {2021-08-22}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/peb-where-magic-is-stored/}, language = {English}, urldate = {2021-09-19} } PEB: Where Magic Is Stored
Dacls
2021-08-22media.ccc.deLars Wallenborn
@online{wallenborn:20210822:bangladesh:46f557f, author = {Lars Wallenborn}, title = {{The Bangladesh cyber bank robbery: Tracking down major criminals with malware analysis}}, date = {2021-08-22}, organization = {media.ccc.de}, url = {https://media.ccc.de/v/froscon2021-2670-der_cyber-bankraub_von_bangladesch}, language = {German}, urldate = {2021-09-10} } The Bangladesh cyber bank robbery: Tracking down major criminals with malware analysis
DYEPACK
2021-08-05KrebsOnSecurityBrian Krebs
@online{krebs:20210805:ransomware:0962b82, author = {Brian Krebs}, title = {{Ransomware Gangs and the Name Game Distraction}}, date = {2021-08-05}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/}, language = {English}, urldate = {2021-12-13} } Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet
2021-07-10Youtube (AhmedS Kasmani)AhmedS Kasmani
@online{kasmani:20210710:analysis:35afafd, author = {AhmedS Kasmani}, title = {{Analysis of AppleJeus Malware by Lazarus Group}}, date = {2021-07-10}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=1NkzTKkEM2k}, language = {English}, urldate = {2021-07-20} } Analysis of AppleJeus Malware by Lazarus Group
AppleJeus
2021-07-08Medium s2wlabSojun Ryu
@online{ryu:20210708:analysis:65a332a, author = {Sojun Ryu}, title = {{Analysis of Lazarus malware abusing Non-ActiveX Module in South Korea}}, date = {2021-07-08}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/analysis-of-lazarus-malware-abusing-non-activex-module-in-south-korea-7d52b9539c12}, language = {English}, urldate = {2023-04-14} } Analysis of Lazarus malware abusing Non-ActiveX Module in South Korea
Racket Downloader
2021-06-15KasperskySeongsu Park
@online{park:20210615:andariel:1e000a0, author = {Seongsu Park}, title = {{Andariel evolves to target South Korea with ransomware}}, date = {2021-06-15}, organization = {Kaspersky}, url = {https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/}, language = {English}, urldate = {2023-09-22} } Andariel evolves to target South Korea with ransomware
BISTROMATH PEBBLEDASH TigerLite Tiger RAT Unidentified 081 (Andariel Ransomware)
2021-05-11QianxinRed Raindrop Team
@online{team:20210511:analysis:d95ef63, author = {Red Raindrop Team}, title = {{Analysis of a series of attacks by the suspected Lazarus organization using Daewoo Shipyard as relevant bait}}, date = {2021-05-11}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/Analysis-of-attacks-by-Lazarus-using-Daewoo-shipyard-as-bait/}, language = {Chinese}, urldate = {2023-09-22} } Analysis of a series of attacks by the suspected Lazarus organization using Daewoo Shipyard as relevant bait
BISTROMATH TigerLite
2021-05-05ZscalerAniruddha Dolas, Mohd Sadique, Manohar Ghule
@online{dolas:20210505:catching:ace83fc, author = {Aniruddha Dolas and Mohd Sadique and Manohar Ghule}, title = {{Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats}}, date = {2021-05-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols}, language = {English}, urldate = {2021-05-08} } Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats
Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos
2021-04-28Trend MicroJaromír Hořejší, Joseph C Chen
@online{hoej:20210428:water:f769ce2, author = {Jaromír Hořejší and Joseph C Chen}, title = {{Water Pamola Attacked Online Shops Via Malicious Orders}}, date = {2021-04-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html}, language = {English}, urldate = {2021-05-04} } Water Pamola Attacked Online Shops Via Malicious Orders
Ghost RAT
2021-04-19MalwarebytesHossein Jazi
@online{jazi:20210419:lazarus:dd2c372, author = {Hossein Jazi}, title = {{Lazarus APT conceals malicious code within BMP image to drop its RAT}}, date = {2021-04-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/}, language = {English}, urldate = {2021-06-25} } Lazarus APT conceals malicious code within BMP image to drop its RAT
BISTROMATH
2021-04-15AhnLabAhnLab ASEC Analysis Team
@techreport{team:20210415:operation:98f465e, author = {AhnLab ASEC Analysis Team}, title = {{Operation Dream Job Targeting Job Seekers in South Korea}}, date = {2021-04-15}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf}, language = {English}, urldate = {2021-05-25} } Operation Dream Job Targeting Job Seekers in South Korea
LCPDot Torisma
2021-04-08ESET ResearchFilip Jurčacko
@online{juracko:20210408:are:a7f76e6, author = {Filip Jurčacko}, title = {{(Are you) afreight of the dark? Watch out for Vyveva, new Lazarus backdoor}}, date = {2021-04-08}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/}, language = {English}, urldate = {2023-09-18} } (Are you) afreight of the dark? Watch out for Vyveva, new Lazarus backdoor
Vyveva RAT
2021-04-02Dr.WebDr.Web
@techreport{drweb:20210402:study:31b191e, author = {Dr.Web}, title = {{Study of targeted attacks on Russian research institutes}}, date = {2021-04-02}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf}, language = {English}, urldate = {2021-04-06} } Study of targeted attacks on Russian research institutes
Cotx RAT Ghost RAT TA428
2021-04-01AhnLabASEC Analysis Team
@techreport{team:20210401:asec:e2a339e, author = {ASEC Analysis Team}, title = {{ASEC REPORT VOL.102 Q1 2021}}, date = {2021-04-01}, institution = {AhnLab}, url = {https://cn.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf}, language = {English}, urldate = {2023-08-03} } ASEC REPORT VOL.102 Q1 2021
ComeBacker JessieConTea LCPDot
2021-03-22JPCERT/CCShusei Tomonaga
@online{tomonaga:20210322:lazarus:0adc271, author = {Shusei Tomonaga}, title = {{Lazarus Attack Activities Targeting Japan (VSingle/ValeforBeta)}}, date = {2021-03-22}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html}, language = {English}, urldate = {2021-03-25} } Lazarus Attack Activities Targeting Japan (VSingle/ValeforBeta)
VSingle
2021-03-21BlackberryBlackberry Research
@techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-15Sophos LabsMark Loman
@online{loman:20210315:dearcry:a7ac407, author = {Mark Loman}, title = {{DearCry ransomware attacks exploit Exchange server vulnerabilities}}, date = {2021-03-15}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/}, language = {English}, urldate = {2021-04-16} } DearCry ransomware attacks exploit Exchange server vulnerabilities
dearcry WannaCryptor
2021-03-03SYGNIAAmitai Ben Shushan, Noam Lifshitz, Amnon Kushnir, Martin Korman, Boaz Wasserman
@online{shushan:20210303:lazarus:60339a7, author = {Amitai Ben Shushan and Noam Lifshitz and Amnon Kushnir and Martin Korman and Boaz Wasserman}, title = {{Lazarus Group’s MATA Framework Leveraged to Deploy TFlower Ransomware}}, date = {2021-03-03}, organization = {SYGNIA}, url = {https://www.sygnia.co/mata-framework}, language = {English}, urldate = {2021-03-04} } Lazarus Group’s MATA Framework Leveraged to Deploy TFlower Ransomware
Dacls Dacls Dacls TFlower
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-26YouTube (Black Hat)Kevin Perlow
@online{perlow:20210226:fastcash:2daf61f, author = {Kevin Perlow}, title = {{FASTCash and INJX_Pure: How Threat Actors Use Public Standards for Financial Fraud}}, date = {2021-02-26}, organization = {YouTube (Black Hat)}, url = {https://www.youtube.com/watch?v=zGvQPtejX9w}, language = {English}, urldate = {2021-03-04} } FASTCash and INJX_Pure: How Threat Actors Use Public Standards for Financial Fraud
FastCash
2021-02-25Kaspersky LabsVyacheslav Kopeytsev, Seongsu Park
@online{kopeytsev:20210225:lazarus:c887c21, author = {Vyacheslav Kopeytsev and Seongsu Park}, title = {{Lazarus targets defense industry with ThreatNeedle}}, date = {2021-02-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-threatneedle/100803/}, language = {English}, urldate = {2023-07-24} } Lazarus targets defense industry with ThreatNeedle
HTTP(S) uploader LPEClient Volgmer
2021-02-25IntezerIntezer
@techreport{intezer:20210225:year:eb47cd1, author = {Intezer}, title = {{Year of the Gopher A 2020 Go Malware Round-Up}}, date = {2021-02-25}, institution = {Intezer}, url = {https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf}, language = {English}, urldate = {2021-06-30} } Year of the Gopher A 2020 Go Malware Round-Up
NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-22tccontre Blogtcontre
@online{tcontre:20210222:gh0strat:9f98308, author = {tcontre}, title = {{Gh0stRat Anti-Debugging: Nested SEH (try - catch) to Decrypt and Load its Payload}}, date = {2021-02-22}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-nested-seh-try.html}, language = {English}, urldate = {2021-02-25} } Gh0stRat Anti-Debugging: Nested SEH (try - catch) to Decrypt and Load its Payload
Ghost RAT
2021-02-18SymantecThreat Hunter Team
@online{team:20210218:lazarus:f98481c, author = {Threat Hunter Team}, title = {{Lazarus: Three North Koreans Charged for Financially Motivated Attacks}}, date = {2021-02-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment}, language = {English}, urldate = {2023-08-21} } Lazarus: Three North Koreans Charged for Financially Motivated Attacks
AppleJeus POOLRAT Unidentified macOS 001 (UnionCryptoTrader) AppleJeus Unidentified 077 (Lazarus Downloader)
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:5fa5db6, author = {CISA}, title = {{Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c}, language = {English}, urldate = {2023-06-29} } Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto
AppleJeus Unidentified macOS 001 (UnionCryptoTrader) AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:18c1b8e, author = {CISA}, title = {{Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:191d7ae, author = {CISA}, title = {{Malware Analysis Report (AR21-048F): AppleJeus: Dorusio}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f}, language = {English}, urldate = {2023-06-29} } Malware Analysis Report (AR21-048F): AppleJeus: Dorusio
AppleJeus AppleJeus Unidentified 077 (Lazarus Downloader)
2021-02-17US-CERTUS-CERT
@online{uscert:20210217:alert:3d0afe3, author = {US-CERT}, title = {{Alert (AA21-048A): AppleJeus: Analysis of North Korea’s Cryptocurrency Malware}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-048a}, language = {English}, urldate = {2021-02-20} } Alert (AA21-048A): AppleJeus: Analysis of North Korea’s Cryptocurrency Malware
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:39df9f4, author = {CISA}, title = {{Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:5113e30, author = {CISA}, title = {{Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:59e2d5d, author = {CISA}, title = {{Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet
AppleJeus AppleJeus
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:47648b1, author = {CISA}, title = {{Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g}, language = {English}, urldate = {2021-02-20} } Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale
AppleJeus AppleJeus
2021-02-01ESET ResearchIgnacio Sanmillan, Matthieu Faou
@online{sanmillan:20210201:operation:9e52a78, author = {Ignacio Sanmillan and Matthieu Faou}, title = {{Operation NightScout: Supply‑chain attack targets online gaming in Asia}}, date = {2021-02-01}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/}, language = {English}, urldate = {2021-02-17} } Operation NightScout: Supply‑chain attack targets online gaming in Asia
Ghost RAT NoxPlayer Poison Ivy Red Dev 17
2021-02-01One Night in NorfolkKevin Perlow
@online{perlow:20210201:dprk:e53f059, author = {Kevin Perlow}, title = {{DPRK Targeting Researchers II: .Sys Payload and Registry Hunting}}, date = {2021-02-01}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/dprk-targeting-researchers-ii-sys-payload-and-registry-hunting/}, language = {English}, urldate = {2021-02-02} } DPRK Targeting Researchers II: .Sys Payload and Registry Hunting
ComeBacker
2021-01-30Microstep Intelligence BureauMicrostep online research response team
@online{team:20210130:analysis:2758345, author = {Microstep online research response team}, title = {{Analysis of Lazarus attacks against security researchers}}, date = {2021-01-30}, organization = {Microstep Intelligence Bureau}, url = {https://www.anquanke.com/post/id/230161}, language = {Chinese}, urldate = {2021-02-02} } Analysis of Lazarus attacks against security researchers
ComeBacker
2021-01-29NSFOCUSFuying Laboratory
@online{laboratory:20210129:stumbzarusaptlazarus:4d0bf52, author = {Fuying Laboratory}, title = {{认识STUMBzarus——APT组织Lazarus近期定向攻击组件深入分析}}, date = {2021-01-29}, organization = {NSFOCUS}, url = {http://blog.nsfocus.net/stumbzarus-apt-lazarus/}, language = {Chinese}, urldate = {2023-08-03} } 认识STUMBzarus——APT组织Lazarus近期定向攻击组件深入分析
ComeBacker DRATzarus Torisma
2021-01-28MicrosoftMicrosoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team
@online{mstic:20210128:zinc:9c8aff4, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team}, title = {{ZINC attacks against security researchers}}, date = {2021-01-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/}, language = {English}, urldate = {2021-01-29} } ZINC attacks against security researchers
ComeBacker Klackring
2021-01-27S2W LAB Inc.Sojun Ryu
@online{ryu:20210127:how:7dcce24, author = {Sojun Ryu}, title = {{How to communicate between RAT infected devices (White paper)}}, date = {2021-01-27}, organization = {S2W LAB Inc.}, url = {https://drive.google.com/file/d/1XoGQFEJQ4nFAUXSGwcnTobviQ_ms35mG/view}, language = {English}, urldate = {2021-01-27} } How to communicate between RAT infected devices (White paper)
Volgmer
2021-01-27S2W LAB Inc.Sojun Ryu
@online{ryu:20210127:analysis:d2bb250, author = {Sojun Ryu}, title = {{Analysis of THREATNEEDLE C&C Communication (feat. Google TAG Warning to Researchers)}}, date = {2021-01-27}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74}, language = {English}, urldate = {2021-01-27} } Analysis of THREATNEEDLE C&C Communication (feat. Google TAG Warning to Researchers)
Volgmer
2021-01-26ComaeMatt Suiche
@online{suiche:20210126:pandorabox:0fc91d0, author = {Matt Suiche}, title = {{PANDORABOX - North Koreans target security researchers}}, date = {2021-01-26}, organization = {Comae}, url = {https://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/}, language = {English}, urldate = {2021-01-27} } PANDORABOX - North Koreans target security researchers
ComeBacker
2021-01-26One Night in NorfolkKevin Perlow
@online{perlow:20210126:dprk:04391b6, author = {Kevin Perlow}, title = {{DPRK Malware Targeting Security Researchers}}, date = {2021-01-26}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/dprk-malware-targeting-security-researchers/}, language = {English}, urldate = {2021-01-27} } DPRK Malware Targeting Security Researchers
ComeBacker
2021-01-26JPCERT/CCShusei Tomonaga
@online{tomonaga:20210126:operation:bc16746, author = {Shusei Tomonaga}, title = {{Operation Dream Job by Lazarus}}, date = {2021-01-26}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html}, language = {English}, urldate = {2021-01-27} } Operation Dream Job by Lazarus
LCPDot Torisma Lazarus Group
2021-01-25GoogleAdam Weidemann
@online{weidemann:20210125:new:f286d05, author = {Adam Weidemann}, title = {{New campaign targeting security researchers}}, date = {2021-01-25}, organization = {Google}, url = {https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/}, language = {English}, urldate = {2023-08-03} } New campaign targeting security researchers
ComeBacker DRATzarus
2021-01-20JPCERT/CCShusei Tomonaga
@online{tomonaga:20210120:commonly:e5a0269, author = {Shusei Tomonaga}, title = {{Commonly Known Tools Used by Lazarus}}, date = {2021-01-20}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html}, language = {English}, urldate = {2021-01-21} } Commonly Known Tools Used by Lazarus
Lazarus Group
2021-01-15SwisscomMarkus Neis
@techreport{neis:20210115:cracking:b1c1684, author = {Markus Neis}, title = {{Cracking a Soft Cell is Harder Than You Think}}, date = {2021-01-15}, institution = {Swisscom}, url = {https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf}, language = {English}, urldate = {2021-01-18} } Cracking a Soft Cell is Harder Than You Think
Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT
2021-01-09Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210109:command:d720b27, author = {Marco Ramilli}, title = {{Command and Control Traffic Patterns}}, date = {2021-01-09}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/}, language = {English}, urldate = {2021-05-17} } Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2021-01-07Github (hvs-consulting)HvS-Consulting AG
@online{ag:20210107:lazarus:963b364, author = {HvS-Consulting AG}, title = {{Lazarus / APT37 IOCs}}, date = {2021-01-07}, organization = {Github (hvs-consulting)}, url = {https://github.com/hvs-consulting/ioc_signatures/tree/main/Lazarus_APT37}, language = {English}, urldate = {2021-01-21} } Lazarus / APT37 IOCs
Lazarus Group
2021-01-01Objective-SeePatrick Wardle
@online{wardle:20210101:mac:a6f5a3b, author = {Patrick Wardle}, title = {{The Mac Malware of 2020 - a comprehensive analysis of the year's new malware}}, date = {2021-01-01}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x5F.html}, language = {English}, urldate = {2021-01-11} } The Mac Malware of 2020 - a comprehensive analysis of the year's new malware
AppleJeus Dacls EvilQuest FinFisher WatchCat XCSSET
2020-12-23Kaspersky LabsSeongsu Park
@online{park:20201223:lazarus:a1413a8, author = {Seongsu Park}, title = {{Lazarus covets COVID-19-related intelligence}}, date = {2020-12-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/}, language = {English}, urldate = {2023-07-08} } Lazarus covets COVID-19-related intelligence
BookCodes RAT
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-12-18SeqritePavankumar Chaudhari
@online{chaudhari:20201218:rat:50074a2, author = {Pavankumar Chaudhari}, title = {{RAT used by Chinese cyberspies infiltrating Indian businesses}}, date = {2020-12-18}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/}, language = {English}, urldate = {2020-12-18} } RAT used by Chinese cyberspies infiltrating Indian businesses
Ghost RAT
2020-12-15HvS-Consulting AGHvS-Consulting AG
@techreport{ag:20201215:greetings:a5b59d9, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, institution = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf}, language = {English}, urldate = {2023-07-10} } Greetings from Lazarus Anatomy of a cyber espionage campaign
BLINDINGCAN HTTP(S) uploader MimiKatz
2020-12-15HvS-Consulting AGHvS-Consulting AG
@online{ag:20201215:greetings:452ef44, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus: Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, organization = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/lazarus-report/}, language = {English}, urldate = {2021-01-21} } Greetings from Lazarus: Anatomy of a cyber espionage campaign
BLINDINGCAN MimiKatz Lazarus Group
2020-12-11PWC UKTwitter (@BitsOfBinary)
@online{bitsofbinary:20201211:macos:a00d112, author = {Twitter (@BitsOfBinary)}, title = {{Tweet on macOS Manuscypt samples}}, date = {2020-12-11}, organization = {PWC UK}, url = {https://twitter.com/BitsOfBinary/status/1337330286787518464}, language = {English}, urldate = {2020-12-14} } Tweet on macOS Manuscypt samples
Manuscrypt
2020-12-10Intel 471Intel 471
@online{471:20201210:no:9fd2ae1, author = {Intel 471}, title = {{No pandas, just people: The current state of China’s cybercrime underground}}, date = {2020-12-10}, organization = {Intel 471}, url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/}, language = {English}, urldate = {2020-12-10} } No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT
2020-12-10US-CERTUS-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e, author = {US-CERT and FBI and MS-ISAC}, title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}}, date = {2020-12-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a}, language = {English}, urldate = {2020-12-11} } Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-12-09CrowdStrikeJosh Burgess, Jason Rivera
@techreport{burgess:20201209:from:1811e9c, author = {Josh Burgess and Jason Rivera}, title = {{From Zero to SixtyThe Story of North Korea’s Rapid Ascent to Becoming a Global Cyber Superpower}}, date = {2020-12-09}, institution = {CrowdStrike}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf}, language = {English}, urldate = {2020-12-11} } From Zero to SixtyThe Story of North Korea’s Rapid Ascent to Becoming a Global Cyber Superpower
FastCash Hermes WannaCryptor
2020-11-27MacnicaHiroshi Takeuchi
@online{takeuchi:20201127:analyzing:4089f84, author = {Hiroshi Takeuchi}, title = {{Analyzing Organizational Invasion Ransom Incidents Using Dtrack}}, date = {2020-11-27}, organization = {Macnica}, url = {https://blog.macnica.net/blog/2020/11/dtrack.html}, language = {Japanese}, urldate = {2020-12-08} } Analyzing Organizational Invasion Ransom Incidents Using Dtrack
Cobalt Strike Dtrack
2020-11-27Microstep Intelligence BureauMicrostep online research response team
@online{team:20201127:lazarus:9111581, author = {Microstep online research response team}, title = {{钱包黑洞:Lazarus 组织近期在加密货币方面的隐蔽攻击活动}}, date = {2020-11-27}, organization = {Microstep Intelligence Bureau}, url = {https://www.anquanke.com/post/id/223817}, language = {Chinese}, urldate = {2020-12-26} } 钱包黑洞:Lazarus 组织近期在加密货币方面的隐蔽攻击活动
Manuscrypt
2020-11-21vxhive blog0xastrovax
@online{0xastrovax:20201121:deep:89c1a51, author = {0xastrovax}, title = {{Deep Dive Into HERMES Ransomware}}, date = {2020-11-21}, organization = {vxhive blog}, url = {https://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html}, language = {English}, urldate = {2021-12-13} } Deep Dive Into HERMES Ransomware
Hermes
2020-11-16ESET ResearchAnton Cherepanov, Peter Kálnai
@online{cherepanov:20201116:lazarus:6b90a77, author = {Anton Cherepanov and Peter Kálnai}, title = {{Lazarus supply‑chain attack in South Korea}}, date = {2020-11-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/}, language = {English}, urldate = {2020-11-18} } Lazarus supply‑chain attack in South Korea
BookCodes RAT Lazarus Group
2020-11-14Medium 0xastrovaxastrovax
@online{astrovax:20201114:deep:b50ae08, author = {astrovax}, title = {{Deep Dive Into Ryuk Ransomware}}, date = {2020-11-14}, organization = {Medium 0xastrovax}, url = {https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12}, language = {English}, urldate = {2021-01-25} } Deep Dive Into Ryuk Ransomware
Hermes Ryuk
2020-11-12TalosAsheer Malhotra
@online{malhotra:20201112:crat:1761f4e, author = {Asheer Malhotra}, title = {{CRAT wants to plunder your endpoints}}, date = {2020-11-12}, organization = {Talos}, url = {https://blog.talosintelligence.com/2020/11/crat-and-plugins.html}, language = {English}, urldate = {2020-11-18} } CRAT wants to plunder your endpoints
CRAT
2020-11-05McAfeeChristiaan Beek, Ryan Sherstobitoff
@online{beek:20201105:operation:ca0ac54, author = {Christiaan Beek and Ryan Sherstobitoff}, title = {{Operation North Star: Behind The Scenes}}, date = {2020-11-05}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/}, language = {English}, urldate = {2023-07-31} } Operation North Star: Behind The Scenes
NedDnLoader Torisma
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-10-28Twitter (@BitsOfBinary)John
@online{john:20201028:macos:15c0a45, author = {John}, title = {{Tweet on macOS version of Manuscrypt}}, date = {2020-10-28}, organization = {Twitter (@BitsOfBinary)}, url = {https://twitter.com/BitsOfBinary/status/1321488299932983296}, language = {English}, urldate = {2020-12-03} } Tweet on macOS version of Manuscrypt
Manuscrypt
2020-10-27Dr.WebDr.Web
@techreport{drweb:20201027:study:9f6e628, author = {Dr.Web}, title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}}, date = {2020-10-27}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf}, language = {English}, urldate = {2020-10-29} } Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad
2020-10-03VB LocalhostTakai Hajime, Shogo Hayashi, Rintaro Koike
@online{hajime:20201003:unveiling:826bb2b, author = {Takai Hajime and Shogo Hayashi and Rintaro Koike}, title = {{Unveiling the CryptoMimic}}, date = {2020-10-03}, organization = {VB Localhost}, url = {https://vb2020.vblocalhost.com/conference/presentations/unveiling-the-cryptomimic/}, language = {English}, urldate = {2023-05-24} } Unveiling the CryptoMimic
CageyChameleon SnatchCrypto
2020-09-29JPCERT/CCShusei Tomonaga
@online{tomonaga:20200929:blindingcan:a85ca22, author = {Shusei Tomonaga}, title = {{BLINDINGCAN - Malware Used by Lazarus}}, date = {2020-09-29}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html}, language = {English}, urldate = {2020-10-02} } BLINDINGCAN - Malware Used by Lazarus
BLINDINGCAN Lazarus Group
2020-09-16QianxinRed Raindrop Team
@online{team:20200916:target:a21c14d, author = {Red Raindrop Team}, title = {{Target defense industry: Lazarus uses recruitment bait combined with continuously updated cyber weapons}}, date = {2020-09-16}, organization = {Qianxin}, url = {https://mp.weixin.qq.com/s/2sV-DrleHiJMSpSCW0kAMg}, language = {English}, urldate = {2021-01-27} } Target defense industry: Lazarus uses recruitment bait combined with continuously updated cyber weapons
CRAT
2020-09-15CrowdStrikeCrowdStrike Overwatch Team
@techreport{team:20200915:nowhere:284220e, author = {CrowdStrike Overwatch Team}, title = {{Nowhere to Hide - 2020 Threat Hunting Report}}, date = {2020-09-15}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf}, language = {English}, urldate = {2020-09-21} } Nowhere to Hide - 2020 Threat Hunting Report
NedDnLoader RDAT TRACER KITTEN
2020-08-31SentinelOneJim Walter
@online{walter:20200831:blindingcan:cdb0ffc, author = {Jim Walter}, title = {{The BLINDINGCAN RAT and Malicious North Korean Activity}}, date = {2020-08-31}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/}, language = {English}, urldate = {2020-09-01} } The BLINDINGCAN RAT and Malicious North Korean Activity
BLINDINGCAN
2020-08-31JPCERT/CCShusei Tomonaga
@online{tomonaga:20200831:malware:18b1228, author = {Shusei Tomonaga}, title = {{Malware Used by Lazarus after Network Intrusion}}, date = {2020-08-31}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html}, language = {English}, urldate = {2020-09-04} } Malware Used by Lazarus after Network Intrusion
Lazarus Group
2020-08-26CISACISA
@online{cisa:20200826:mar103017062v1:e64b3ac, author = {CISA}, title = {{MAR-10301706-2.v1 - North Korean Remote Access Tool: VIVACIOUSGIFT}}, date = {2020-08-26}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b}, language = {English}, urldate = {2020-09-01} } MAR-10301706-2.v1 - North Korean Remote Access Tool: VIVACIOUSGIFT
NACHOCHEESE
2020-08-26CISACISA
@online{cisa:20200826:mar103017061v1:735a8fc, author = {CISA}, title = {{MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON}}, date = {2020-08-26}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a}, language = {English}, urldate = {2020-09-01} } MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON
PSLogger
2020-08-26CISACISA, U.S. Department of the Treasury, FBI, U.S. Cyber Command
@online{cisa:20200826:alert:91b063b, author = {CISA and U.S. Department of the Treasury and FBI and U.S. Cyber Command}, title = {{Alert (AA20-239A): FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks}}, date = {2020-08-26}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa20-239a}, language = {English}, urldate = {2022-04-20} } Alert (AA20-239A): FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks
FastCash
2020-08-19US-CERTUS-CERT
@online{uscert:20200819:malware:63a2025, author = {US-CERT}, title = {{Malware Analysis Report (AR20-232A)}}, date = {2020-08-19}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a}, language = {English}, urldate = {2020-09-01} } Malware Analysis Report (AR20-232A)
Bankshot BLINDINGCAN
2020-08-19CISACISA
@online{cisa:20200819:mar102951341v1:e21aadf, author = {CISA}, title = {{MAR-10295134-1.v1 - North Korean Remote Access Trojan: BLINDINGCAN}}, date = {2020-08-19}, organization = {CISA}, url = {https://www.cisa.gov/news-events/analysis-reports/ar20-232a}, language = {English}, urldate = {2023-08-11} } MAR-10295134-1.v1 - North Korean Remote Access Trojan: BLINDINGCAN
BLINDINGCAN
2020-08-13ClearSkyClearSky Research Team
@techreport{team:20200813:operation:429bf86, author = {ClearSky Research Team}, title = {{Operation ‘Dream Job’ Widespread North Korean Espionage Campaign}}, date = {2020-08-13}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf}, language = {English}, urldate = {2023-09-07} } Operation ‘Dream Job’ Widespread North Korean Espionage Campaign
DRATzarus LPEClient NedDnLoader
2020-08-05BlackHatKevin Perlow
@techreport{perlow:20200805:fastcashand:301d8ce, author = {Kevin Perlow}, title = {{FASTCashand INJX_PURE: How Threat Actors Use Public Standards for Financial Fraud}}, date = {2020-08-05}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf}, language = {English}, urldate = {2020-08-14} } FASTCashand INJX_PURE: How Threat Actors Use Public Standards for Financial Fraud
FastCash
2020-08-05BlackHatKevin Perlow
@techreport{perlow:20200805:fastcash:5e6b73a, author = {Kevin Perlow}, title = {{FASTCash and Associated Intrusion Techniques}}, date = {2020-08-05}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud-wp.pdf}, language = {English}, urldate = {2020-08-14} } FASTCash and Associated Intrusion Techniques
FastCash
2020-08TG SoftTG Soft
@online{soft:202008:tg:88b671c, author = {TG Soft}, title = {{TG Soft Cyber - Threat Report}}, date = {2020-08}, organization = {TG Soft}, url = {https://www.tgsoft.it/files/report/download.asp?id=7481257469}, language = {Italian}, urldate = {2020-09-15} } TG Soft Cyber - Threat Report
DarkComet Darktrack RAT Emotet ISFB
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-29McAfeeMcAfee Labs
@online{labs:20200729:operation:e4abd0a, author = {McAfee Labs}, title = {{Operation (노스 스타) North Star A Job Offer That’s Too Good to be True?}}, date = {2020-07-29}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/}, language = {English}, urldate = {2023-07-31} } Operation (노스 스타) North Star A Job Offer That’s Too Good to be True?
NedDnLoader
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-28Kaspersky LabsIvan Kwiatkowski, Pierre Delcher, Félix Aime
@online{kwiatkowski:20200728:lazarus:5b1523a, author = {Ivan Kwiatkowski and Pierre Delcher and Félix Aime}, title = {{Lazarus on the hunt for big game}}, date = {2020-07-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/}, language = {English}, urldate = {2020-07-30} } Lazarus on the hunt for big game
Dacls Dacls Dacls VHD Ransomware
2020-07-28NTTNTT Security
@online{security:20200728:craftypanda:7643b28, author = {NTT Security}, title = {{CraftyPanda 標的型攻撃解析レポート}}, date = {2020-07-28}, organization = {NTT}, url = {https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report}, language = {Japanese}, urldate = {2020-07-30} } CraftyPanda 標的型攻撃解析レポート
Ghost RAT PlugX
2020-07-27SentinelOnePhil Stokes
@online{stokes:20200727:four:9d80c60, author = {Phil Stokes}, title = {{Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform}}, date = {2020-07-27}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/}, language = {English}, urldate = {2020-07-30} } Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform
AppleJeus Casso Dacls WatchCat
2020-07-22Kaspersky LabsGReAT
@online{great:20200722:mata:591e184, author = {GReAT}, title = {{MATA: Multi-platform targeted malware framework}}, date = {2020-07-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/}, language = {English}, urldate = {2020-07-23} } MATA: Multi-platform targeted malware framework
Dacls Dacls Dacls
2020-07-20Risky.bizDaniel Gordon
@online{gordon:20200720:what:b88e81f, author = {Daniel Gordon}, title = {{What even is Winnti?}}, date = {2020-07-20}, organization = {Risky.biz}, url = {https://risky.biz/whatiswinnti/}, language = {English}, urldate = {2020-08-18} } What even is Winnti?
CCleaner Backdoor Ghost RAT PlugX ZXShell
2020-06-29KISAKrCERT
@techreport{krcert:20200629:operation:bbe9f5c, author = {KrCERT}, title = {{OPERATION BOOKCODES TTPs #2}}, date = {2020-06-29}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2612&attach_file_id=EpF2612.pdf}, language = {English}, urldate = {2023-07-05} } OPERATION BOOKCODES TTPs #2
BookCodes RAT
2020-06-28Twitter (@ccxsaber)z3r0
@online{z3r0:20200628:sample:8355378, author = {z3r0}, title = {{Tweet on Sample}}, date = {2020-06-28}, organization = {Twitter (@ccxsaber)}, url = {https://twitter.com/ccxsaber/status/1277064824434745345}, language = {English}, urldate = {2020-07-15} } Tweet on Sample
Unidentified 077 (Lazarus Downloader)
2020-06-23ReversingLabsKarlo Zanki
@online{zanki:20200623:hidden:807b898, author = {Karlo Zanki}, title = {{Hidden Cobra - from a shed skin to the viper’s nest}}, date = {2020-06-23}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/hidden-cobra}, language = {English}, urldate = {2020-06-23} } Hidden Cobra - from a shed skin to the viper’s nest
Bankshot PEBBLEDASH TAINTEDSCRIBE
2020-06-17ESET ResearchDominik Breitenbacher, Kaspars Osis
@techreport{breitenbacher:20200617:operation:7969e3a, author = {Dominik Breitenbacher and Kaspars Osis}, title = {{Operation In(ter)ception: Targeted Attacks against European Aerospace and Military Companies}}, date = {2020-06-17}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf}, language = {English}, urldate = {2020-06-17} } Operation In(ter)ception: Targeted Attacks against European Aerospace and Military Companies
Interception
2020-06-14BushidoTokenBushidoToken
@online{bushidotoken:20200614:deepdive:3a375ca, author = {BushidoToken}, title = {{Deep-dive: The DarkHotel APT}}, date = {2020-06-14}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html}, language = {English}, urldate = {2020-06-16} } Deep-dive: The DarkHotel APT
Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode)
2020-06-09Kaspersky LabsCostin Raiu
@online{raiu:20200609:looking:3038dce, author = {Costin Raiu}, title = {{Looking at Big Threats Using Code Similarity. Part 1}}, date = {2020-06-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/big-threats-using-code-similarity-part-1/97239/}, language = {English}, urldate = {2020-08-18} } Looking at Big Threats Using Code Similarity. Part 1
Penquin Turla CCleaner Backdoor EternalPetya Regin WannaCryptor XTunnel
2020-06-05PrevailionDanny Adamitis
@online{adamitis:20200605:gh0st:849c227, author = {Danny Adamitis}, title = {{The Gh0st Remains the Same}}, date = {2020-06-05}, organization = {Prevailion}, url = {https://www.prevailion.com/the-gh0st-remains-the-same-2/}, language = {English}, urldate = {2022-09-20} } The Gh0st Remains the Same
Ghost RAT
2020-06-04PTSecurityPT ESC Threat Intelligence
@online{intelligence:20200604:covid19:45fa7ba, author = {PT ESC Threat Intelligence}, title = {{COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group}}, date = {2020-06-04}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/}, language = {English}, urldate = {2020-06-05} } COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group
Ghost RAT
2020-05-31Twitter (ShadowChasing1)Shadow Chaser Group
@online{group:20200531:dtrack:d91f05d, author = {Shadow Chaser Group}, title = {{Tweet on DTRACK malware}}, date = {2020-05-31}, organization = {Twitter (ShadowChasing1)}, url = {https://twitter.com/ShadowChasing1/status/1399369260577681426?s=20}, language = {English}, urldate = {2021-06-09} } Tweet on DTRACK malware
Dtrack
2020-05-20Medium Asuna AmawakaAsuna Amawaka
@online{amawaka:20200520:what:e02d9a4, author = {Asuna Amawaka}, title = {{What happened between the BigBadWolf and the Tiger?}}, date = {2020-05-20}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2}, language = {English}, urldate = {2021-02-18} } What happened between the BigBadWolf and the Tiger?
Ghost RAT
2020-05-14Avast DecodedLuigino Camastra
@online{camastra:20200514:planted:7b94cc6, author = {Luigino Camastra}, title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}}, date = {2020-05-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia}, language = {English}, urldate = {2022-07-25} } APT Group Planted Backdoors Targeting High Profile Networks in Central Asia
BYEBY Ghost RAT Microcin MimiKatz Vicious Panda
2020-05-12US-CERTUS-CERT
@online{uscert:20200512:mar102888341v1:e6e6a28, author = {US-CERT}, title = {{MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE}}, date = {2020-05-12}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-133a}, language = {English}, urldate = {2020-05-14} } MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE
Bankshot
2020-05-11Trend MicroGabrielle Joyce Mabutas, Kazuki Fujisawa
@online{mabutas:20200511:new:e25ce4e, author = {Gabrielle Joyce Mabutas and Kazuki Fujisawa}, title = {{New MacOS Dacls RAT Backdoor Show Lazarus’ Multi-Platform Attack Capability}}, date = {2020-05-11}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/}, language = {English}, urldate = {2020-05-11} } New MacOS Dacls RAT Backdoor Show Lazarus’ Multi-Platform Attack Capability
Dacls
2020-05-11Trend MicroGabrielle Joyce Mabutas, Kazuki Fujisawa
@online{mabutas:20200511:new:aa2bbd7, author = {Gabrielle Joyce Mabutas and Kazuki Fujisawa}, title = {{New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability}}, date = {2020-05-11}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability}, language = {English}, urldate = {2020-06-03} } New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability
Dacls
2020-05-07AVARMark Lechtik, Ariel Jugnheit
@online{lechtik:20200507:north:3cfaf43, author = {Mark Lechtik and Ariel Jugnheit}, title = {{The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market}}, date = {2020-05-07}, organization = {AVAR}, url = {https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view}, language = {English}, urldate = {2020-05-07} } The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market
Volgmer
2020-05-06MalwarebytesHossein Jazi, Thomas Reed, Jérôme Segura
@online{jazi:20200506:new:7723083, author = {Hossein Jazi and Thomas Reed and Jérôme Segura}, title = {{New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app}}, date = {2020-05-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/}, language = {English}, urldate = {2020-05-07} } New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app
Dacls
2020-05-05Objective-SeePatrick Wardle
@online{wardle:20200505:dacls:b9f2391, author = {Patrick Wardle}, title = {{The Dacls RAT ...now on macOS! deconstructing the mac variant of a lazarus group implant}}, date = {2020-05-05}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x57.html}, language = {English}, urldate = {2020-05-07} } The Dacls RAT ...now on macOS! deconstructing the mac variant of a lazarus group implant
Dacls
2020-05-04ADEO DFIRADEO DFIR
@techreport{dfir:20200504:apt38:53494c3, author = {ADEO DFIR}, title = {{APT38 Lazarus Threat Analysis Report}}, date = {2020-05-04}, institution = {ADEO DFIR}, url = {https://adeo.com.tr/wp-content/uploads/2020/05/ADEO-Lazarus-APT38.pdf}, language = {English}, urldate = {2023-02-21} } APT38 Lazarus Threat Analysis Report
BLINDTOAD ELECTRICFISH
2020-04-16VMWare Carbon BlackScott Knight
@online{knight:20200416:evolution:39b90c0, author = {Scott Knight}, title = {{The Evolution of Lazarus}}, date = {2020-04-16}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/}, language = {English}, urldate = {2020-04-17} } The Evolution of Lazarus
HOTCROISSANT Rifdoor
2020-04-14QianxinQi'anxin Threat Intelligence
@online{intelligence:20200414:lazarus:e451b26, author = {Qi'anxin Threat Intelligence}, title = {{The Lazarus APT organization uses the new crown epidemic bait to target a targeted attack analysis of a country}}, date = {2020-04-14}, organization = {Qianxin}, url = {https://www.secrss.com/articles/18635}, language = {Chinese}, urldate = {2021-04-06} } The Lazarus APT organization uses the new crown epidemic bait to target a targeted attack analysis of a country
CRAT
2020-04-09suspected.tistory.comhmkang92
@online{hmkang92:20200409:malware:ba76407, author = {hmkang92}, title = {{Malware analysis (Emergency inquiry for Coronavirus response in Jeollanam-do.hwp)}}, date = {2020-04-09}, organization = {suspected.tistory.com}, url = {https://suspected.tistory.com/269}, language = {Korean}, urldate = {2021-04-06} } Malware analysis (Emergency inquiry for Coronavirus response in Jeollanam-do.hwp)
CRAT
2020-04-01KISAKrCERT
@techreport{krcert:20200401:operation:d6916ea, author = {KrCERT}, title = {{OPERATION BOOKCODES TTPs #1}}, date = {2020-04-01}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2452&attach_file_id=EpF2452.pdf}, language = {English}, urldate = {2023-07-05} } OPERATION BOOKCODES TTPs #1
BookCodes RAT
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA
2020-03-05SophosLabsSergei Shevchenko
@techreport{shevchenko:20200305:cloud:e83e58c, author = {Sergei Shevchenko}, title = {{Cloud Snooper Attack Bypasses AWS Security Measures}}, date = {2020-03-05}, institution = {SophosLabs}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf}, language = {English}, urldate = {2022-01-28} } Cloud Snooper Attack Bypasses AWS Security Measures
Cloud Snooper Ghost RAT
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:0bf422f, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 2}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2}, language = {English}, urldate = {2022-03-02} } Lazarus group's Brambul worm of the former Wannacry - 2
Brambul
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:1cacde4, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 1}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1}, language = {English}, urldate = {2022-03-02} } Lazarus group's Brambul worm of the former Wannacry - 1
Brambul WannaCryptor
2020-02-25SentinelOneJim Walter
@online{walter:20200225:dprk:735f095, author = {Jim Walter}, title = {{DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity}}, date = {2020-02-25}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/}, language = {English}, urldate = {2020-02-27} } DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity
ARTFULPIE BISTROMATH BUFFETLINE CHEESETRAY HOPLIGHT HOTCROISSANT SLICKSHOES
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2020-02-22Objective-SeePatrick Wardle
@online{wardle:20200222:weaponizing:ea810ff, author = {Patrick Wardle}, title = {{Weaponizing a Lazarus Group Implant: repurposing a 1st-stage loader, to execute custom 'fileless' payloads}}, date = {2020-02-22}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x54.html}, language = {English}, urldate = {2020-02-27} } Weaponizing a Lazarus Group Implant: repurposing a 1st-stage loader, to execute custom 'fileless' payloads
AppleJeus
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-14US-CERTUS-CERT
@online{uscert:20200214:malware:e48897a, author = {US-CERT}, title = {{Malware Analysis Report (AR20–045B): MAR-10265965-2.v1 - North Korean Trojan: SLICKSHOES}}, date = {2020-02-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045b}, language = {English}, urldate = {2020-02-27} } Malware Analysis Report (AR20–045B): MAR-10265965-2.v1 - North Korean Trojan: SLICKSHOES
SLICKSHOES
2020-02-14US-CERTUS-CERT
@online{uscert:20200214:malware:fd008a7, author = {US-CERT}, title = {{Malware Analysis Report (AR20-045G): MAR-10135536-8.v4 - North Korean Trojan: HOPLIGHT}}, date = {2020-02-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045g}, language = {English}, urldate = {2020-02-27} } Malware Analysis Report (AR20-045G): MAR-10135536-8.v4 - North Korean Trojan: HOPLIGHT
HOPLIGHT
2020-02-14US-CERTUS-CERT
@online{uscert:20200214:malware:de7cafb, author = {US-CERT}, title = {{Malware Analysis Report (AR20-045F): MAR-10271944-3.v1 - North Korean Trojan: BUFFETLINE}}, date = {2020-02-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045f}, language = {English}, urldate = {2020-02-27} } Malware Analysis Report (AR20-045F): MAR-10271944-3.v1 - North Korean Trojan: BUFFETLINE
BUFFETLINE
2020-02-14US-CERTUS-CERT
@online{uscert:20200214:malware:43ff8f0, author = {US-CERT}, title = {{Malware Analysis Report (AR20-045E): MAR-10271944-2.v1 - North Korean Trojan: ARTFULPIE}}, date = {2020-02-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045e}, language = {English}, urldate = {2020-02-27} } Malware Analysis Report (AR20-045E): MAR-10271944-2.v1 - North Korean Trojan: ARTFULPIE
ARTFULPIE
2020-02-14US-CERTUS-CERT
@online{uscert:20200214:malware:315814d, author = {US-CERT}, title = {{Malware Analysis Report (AR20-045C)}}, date = {2020-02-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045c}, language = {English}, urldate = {2020-02-14} } Malware Analysis Report (AR20-045C)
CHEESETRAY
2020-02-14US-CERTUS-CERT
@online{uscert:20200214:malware:8992509, author = {US-CERT}, title = {{Malware Analysis Report (AR20-045D): MAR-10271944-1.v1 - North Korean Trojan: HOTCROISSANT}}, date = {2020-02-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045d}, language = {English}, urldate = {2020-02-27} } Malware Analysis Report (AR20-045D): MAR-10271944-1.v1 - North Korean Trojan: HOTCROISSANT
HOTCROISSANT
2020-02-14US-CERTUS-CERT
@online{uscert:20200214:malware:cdab5b7, author = {US-CERT}, title = {{Malware Analysis Report (AR20-045A): MAR-10265965-1.v1 - North Korean Trojan: BISTROMATH}}, date = {2020-02-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045a}, language = {English}, urldate = {2020-02-27} } Malware Analysis Report (AR20-045A): MAR-10265965-1.v1 - North Korean Trojan: BISTROMATH
BISTROMATH
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-02-10MalwarebytesAdam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
@techreport{kujawa:20200210:2020:3fdaf12, author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz}, title = {{2020 State of Malware Report}}, date = {2020-02-10}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf}, language = {English}, urldate = {2020-02-13} } 2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor
2020-02-02Youtube (Ghidra Ninja)Ghidra Ninja
@online{ninja:20200202:reversing:872f4fb, author = {Ghidra Ninja}, title = {{Reversing WannaCry Part 2 - Diving into the malware with #Ghidra}}, date = {2020-02-02}, organization = {Youtube (Ghidra Ninja)}, url = {https://www.youtube.com/watch?v=Q90uZS3taG0}, language = {English}, urldate = {2020-02-09} } Reversing WannaCry Part 2 - Diving into the malware with #Ghidra
WannaCryptor
2020-01-26Brown Farinholt, Mohammad Rezaeirad, Damon McCoy, Kirill Levchenko
@techreport{farinholt:20200126:dark:9c2f434, author = {Brown Farinholt and Mohammad Rezaeirad and Damon McCoy and Kirill Levchenko}, title = {{Dark Matter: Uncovering the DarkComet RAT Ecosystem}}, date = {2020-01-26}, institution = {}, url = {https://www.sysnet.ucsd.edu/sysnet/miscpapers/darkmatter-www20.pdf}, language = {English}, urldate = {2020-03-07} } Dark Matter: Uncovering the DarkComet RAT Ecosystem
DarkComet
2020-01-08Kaspersky LabsGReAT
@online{great:20200108:operation:ea445d5, author = {GReAT}, title = {{Operation AppleJeus Sequel}}, date = {2020-01-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus-sequel/95596/}, language = {English}, urldate = {2020-01-13} } Operation AppleJeus Sequel
AppleJeus Unidentified macOS 001 (UnionCryptoTrader)
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:dcdc02a, author = {SecureWorks}, title = {{BRONZE FLEETWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-fleetwood}, language = {English}, urldate = {2020-05-23} } BRONZE FLEETWOOD
Binanen Ghost RAT OrcaRAT APT5
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:41a0bc0, author = {SecureWorks}, title = {{BRONZE EDISON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-edison}, language = {English}, urldate = {2020-05-23} } BRONZE EDISON
Ghost RAT sykipot APT4 SAMURAI PANDA
2020-01-01Objective-SeePatrick Wardle
@online{wardle:20200101:mac:1d3cffc, author = {Patrick Wardle}, title = {{The Mac Malware of 2019}}, date = {2020-01-01}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x53.html}, language = {English}, urldate = {2020-07-20} } The Mac Malware of 2019
Gmera Mokes Yort
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:dc58892, author = {SecureWorks}, title = {{BRONZE GLOBE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-globe}, language = {English}, urldate = {2020-05-23} } BRONZE GLOBE
EtumBot Ghost RAT APT12
2020SecureworksSecureWorks
@online{secureworks:2020:aluminum:af22ffd, author = {SecureWorks}, title = {{ALUMINUM SARATOGA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/aluminum-saratoga}, language = {English}, urldate = {2020-05-23} } ALUMINUM SARATOGA
BlackShades DarkComet Xtreme RAT Poison Ivy Quasar RAT Molerats
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:bd4482a, author = {SecureWorks}, title = {{NICKEL GLADSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-gladstone}, language = {English}, urldate = {2020-05-23} } NICKEL GLADSTONE
AlphaNC Bankshot Ratankba Lazarus Group
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4db27ec, author = {SecureWorks}, title = {{BRONZE UNION}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-union}, language = {English}, urldate = {2020-05-23} } BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27
2020SecureworksSecureWorks
@online{secureworks:2020:copper:e356116, author = {SecureWorks}, title = {{COPPER FIELDSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/copper-fieldstone}, language = {English}, urldate = {2020-05-23} } COPPER FIELDSTONE
Crimson RAT DarkComet Luminosity RAT NjRAT Operation C-Major
2019-12-17NetlabJinye, GenShen Ye
@online{jinye:20191217:lazarus:f97fffd, author = {Jinye and GenShen Ye}, title = {{Lazarus Group uses Dacls RAT to attack Linux platform}}, date = {2019-12-17}, organization = {Netlab}, url = {https://blog.netlab.360.com/dacls-the-dual-platform-rat/}, language = {Chinese}, urldate = {2020-01-07} } Lazarus Group uses Dacls RAT to attack Linux platform
Dacls Log Collector Dacls
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-12-12MicrosoftMicrosoft Threat Intelligence Center
@online{center:20191212:gallium:79f6460, author = {Microsoft Threat Intelligence Center}, title = {{GALLIUM: Targeting global telecom}}, date = {2019-12-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/}, language = {English}, urldate = {2022-06-15} } GALLIUM: Targeting global telecom
CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM
2019-12-03Objective-SeeObjective-See
@online{objectivesee:20191203:lazarus:028af2b, author = {Objective-See}, title = {{Lazarus Group Goes 'Fileless'}}, date = {2019-12-03}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x51.html}, language = {English}, urldate = {2020-01-13} } Lazarus Group Goes 'Fileless'
Unidentified macOS 001 (UnionCryptoTrader)
2019-11-21CyberbitHod Gavriel
@online{gavriel:20191121:dtrack:fe6fbbc, author = {Hod Gavriel}, title = {{Dtrack: In-depth analysis of APT on a nuclear power plant}}, date = {2019-11-21}, organization = {Cyberbit}, url = {https://www.cyberbit.com/dtrack-apt-malware-found-in-nuclear-power-plant/}, language = {English}, urldate = {2020-08-21} } Dtrack: In-depth analysis of APT on a nuclear power plant
Dtrack
2019-11-21ThreatBookThreatBook
@techreport{threatbook:20191121:nightmare:f88dec3, author = {ThreatBook}, title = {{The Nightmare of Global Cryptocurrency Companies -Demystifying the “DangerousPassword” of the APT Organization}}, date = {2019-11-21}, institution = {ThreatBook}, url = {https://threatbook.cn/ppt/The%2520Nightmare%2520of%2520Global%2520Cryptocurrency%2520Companies%2520-%2520Demystifying%2520the%2520%25E2%2580%259CDangerousPassword%25E2%2580%259D%2520of%2520the%2520APT%2520Organization.pdf}, language = {English}, urldate = {2023-06-22} } The Nightmare of Global Cryptocurrency Companies -Demystifying the “DangerousPassword” of the APT Organization
CageyChameleon SnatchCrypto
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-11-05TelsyTelsy Research Team
@online{team:20191105:lazarus:6c782e8, author = {Telsy Research Team}, title = {{The Lazarus’ gaze to the world: What is behind the first stone?}}, date = {2019-11-05}, organization = {Telsy}, url = {https://www.telsy.com/lazarus-gate/}, language = {English}, urldate = {2023-07-31} } The Lazarus’ gaze to the world: What is behind the first stone?
NedDnLoader Torisma
2019-11-04Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20191104:is:79a8669, author = {Marco Ramilli}, title = {{Is Lazarus/APT38 Targeting Critical Infrastructures?}}, date = {2019-11-04}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2019/11/04/is-lazarus-apt38-targeting-critical-infrastructures/}, language = {English}, urldate = {2020-01-07} } Is Lazarus/APT38 Targeting Critical Infrastructures?
Dtrack
2019-11-04TencentTencent Security Mikan TIC
@online{tic:20191104:attack:33a29db, author = {Tencent Security Mikan TIC}, title = {{APT attack group "Higaisa" attack activity disclosed}}, date = {2019-11-04}, organization = {Tencent}, url = {https://s.tencent.com/research/report/836.html}, language = {Chinese}, urldate = {2020-05-13} } APT attack group "Higaisa" attack activity disclosed
Ghost RAT Higaisa
2019-11-03Github (jeFF0Falltrades)Jeff Archer
@online{archer:20191103:dtrack:de46ce3, author = {Jeff Archer}, title = {{DTrack}}, date = {2019-11-03}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md}, language = {English}, urldate = {2019-12-18} } DTrack
Dtrack
2019-10-31CISACISA
@online{cisa:20191031:malware:4eccc2d, author = {CISA}, title = {{Malware Analysis Report (AR19-304A)}}, date = {2019-10-31}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar19-304a}, language = {English}, urldate = {2020-01-09} } Malware Analysis Report (AR19-304A)
HOPLIGHT
2019-10-17Vitali Kremez
@online{kremez:20191017:lets:d41b75a, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator}}, date = {2019-10-17}, url = {https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html}, language = {English}, urldate = {2020-01-08} } Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator
AppleJeus
2019-10-12Objective-SeePatrick Wardle
@online{wardle:20191012:pass:9a75bd6, author = {Patrick Wardle}, title = {{Pass the AppleJeus}}, date = {2019-10-12}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x49.html}, language = {English}, urldate = {2020-01-13} } Pass the AppleJeus
AppleJeus
2019-10-11Twitter (@VK_intel)Vitali Kremez
@online{kremez:20191011:possible:3be065d, author = {Vitali Kremez}, title = {{Possible Lazarus x86 Malware (AppleJeus)}}, date = {2019-10-11}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1182730637016481793}, language = {English}, urldate = {2019-11-23} } Possible Lazarus x86 Malware (AppleJeus)
AppleJeus
2019-09-23Kaspersky LabsKonstantin Zykov
@online{zykov:20190923:hello:a1e9360, author = {Konstantin Zykov}, title = {{Hello! My name is Dtrack}}, date = {2019-09-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/my-name-is-dtrack/93338/}, language = {English}, urldate = {2020-01-13} } Hello! My name is Dtrack
Dtrack
2019-09-23MITREMITRE ATT&CK
@online{attck:20190923:apt41:63b9ff7, author = {MITRE ATT&CK}, title = {{APT41}}, date = {2019-09-23}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0096}, language = {English}, urldate = {2022-08-30} } APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41
2019-09-18SophosLabs UncutPeter Mackenzie
@online{mackenzie:20190918:wannacry:7aeb8e1, author = {Peter Mackenzie}, title = {{The WannaCry hangover}}, date = {2019-09-18}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2019/09/18/the-wannacry-hangover/}, language = {English}, urldate = {2022-03-18} } The WannaCry hangover
WannaCryptor
2019-09-17TalosChristopher Evans, David Liebenberg
@online{evans:20190917:cryptocurrency:8f3a9e9, author = {Christopher Evans and David Liebenberg}, title = {{Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”}}, date = {2019-09-17}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/09/panda-evolution.html}, language = {English}, urldate = {2019-10-31} } Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”
Ghost RAT
2019-09-17SophosLabsPeter Mackenzie
@techreport{mackenzie:20190917:wannacry:250bb80, author = {Peter Mackenzie}, title = {{WannaCry Aftershock}}, date = {2019-09-17}, institution = {SophosLabs}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/WannaCry-Aftershock.pdf}, language = {English}, urldate = {2022-03-22} } WannaCry Aftershock
WannaCryptor
2019-09-09CISACISA
@online{cisa:20190909:malware:f266520, author = {CISA}, title = {{Malware Analysis Report (AR19-252A)}}, date = {2019-09-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar19-252a}, language = {English}, urldate = {2020-01-07} } Malware Analysis Report (AR19-252A)
BADCALL BADCALL
2019-08-11Twitter (@KevinPerlow)Kevin Perlow
@online{perlow:20190811:updated:b23bfc9, author = {Kevin Perlow}, title = {{Updated #Lazarus Keylogger (uploaded June)}}, date = {2019-08-11}, organization = {Twitter (@KevinPerlow)}, url = {https://twitter.com/KevinPerlow/status/1160766519615381504}, language = {English}, urldate = {2022-11-21} } Updated #Lazarus Keylogger (uploaded June)
PSLogger
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy
2019-07-28Dissecting MalwareMarius Genheimer
@online{genheimer:20190728:third:ede6ba2, author = {Marius Genheimer}, title = {{Third time's the charm? Analysing WannaCry samples}}, date = {2019-07-28}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html}, language = {English}, urldate = {2020-03-27} } Third time's the charm? Analysing WannaCry samples
WannaCryptor
2019-07-11NTT SecurityNTT Security
@online{security:20190711:targeted:a48e692, author = {NTT Security}, title = {{Targeted TrickBot activity drops 'PowerBrace' backdoor}}, date = {2019-07-11}, organization = {NTT Security}, url = {https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor}, language = {English}, urldate = {2019-12-18} } Targeted TrickBot activity drops 'PowerBrace' backdoor
PowerBrace TrickBot
2019-05-30Talos IntelligenceVanja Svajcer
@online{svajcer:20190530:10:82553e1, author = {Vanja Svajcer}, title = {{10 years of virtual dynamite: A high-level retrospective of ATM malware}}, date = {2019-05-30}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html}, language = {English}, urldate = {2019-11-24} } 10 years of virtual dynamite: A high-level retrospective of ATM malware
FastCash Project Alice Cutlet Ploutus ATM Skimer Tyupkin
2019-05-09CISACISA
@online{cisa:20190509:malware:0fa3b40, author = {CISA}, title = {{Malware Analysis Report (AR19-129A)}}, date = {2019-05-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR19-129A}, language = {English}, urldate = {2020-01-08} } Malware Analysis Report (AR19-129A)
ELECTRICFISH Lazarus Group
2019-04-25DATANETKim Seon-ae
@online{seonae:20190425:chinesebased:fa78904, author = {Kim Seon-ae}, title = {{Chinese-based hackers attack domestic energy institutions}}, date = {2019-04-25}, organization = {DATANET}, url = {https://www.datanet.co.kr/news/articleView.html?idxno=133346}, language = {Korean}, urldate = {2021-02-09} } Chinese-based hackers attack domestic energy institutions
CALMTHORN Ghost RAT
2019-04-24SpecterOpsRichie Cyrus
@online{cyrus:20190424:introducing:f1d4536, author = {Richie Cyrus}, title = {{Introducing Venator: A macOS tool for proactive detection}}, date = {2019-04-24}, organization = {SpecterOps}, url = {https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56}, language = {English}, urldate = {2020-01-07} } Introducing Venator: A macOS tool for proactive detection
AppleJeus WindTail
2019-04-11Computing.co.ukDev Kundaliya
@online{kundaliya:20190411:lazarus:2ad8687, author = {Dev Kundaliya}, title = {{Lazarus rises: Warning over new HOPLIGHT malware linked with North Korea}}, date = {2019-04-11}, organization = {Computing.co.uk}, url = {https://www.computing.co.uk/ctg/news/3074007/lazarus-rises-warning-over-new-hoplight-malware-linked-with-north-korea}, language = {English}, urldate = {2020-01-06} } Lazarus rises: Warning over new HOPLIGHT malware linked with North Korea
HOPLIGHT
2019-04-10One Night in NorfolkNorfolk
@online{norfolk:20190410:osint:7dfb7d1, author = {Norfolk}, title = {{OSINT Reporting Regarding DPRK and TA505 Overlap}}, date = {2019-04-10}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/osint-reporting-on-dprk-and-ta505-overlap/}, language = {English}, urldate = {2020-01-06} } OSINT Reporting Regarding DPRK and TA505 Overlap
PowerBrace
2019-04-10The RegisterShaun Nichols
@online{nichols:20190410:lazarus:33958ca, author = {Shaun Nichols}, title = {{Lazarus Group rises again from the digital grave with Hoplight malware for all}}, date = {2019-04-10}, organization = {The Register}, url = {https://www.theregister.co.uk/2019/04/10/lazarus_group_malware/}, language = {English}, urldate = {2019-12-24} } Lazarus Group rises again from the digital grave with Hoplight malware for all
Lazarus Group
2019-04-10US-CERTUS-CERT
@online{uscert:20190410:malware:4946afa, author = {US-CERT}, title = {{Malware Analysis Report (AR19-100A): North Korean Trojan: HOPLIGHT}}, date = {2019-04-10}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR19-100A}, language = {English}, urldate = {2020-01-09} } Malware Analysis Report (AR19-100A): North Korean Trojan: HOPLIGHT
HOPLIGHT
2019-03-27SymantecSecurity Response Attack Investigation Team
@online{team:20190327:elfin:836cc39, author = {Security Response Attack Investigation Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-01-06} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33
2019-03-27SymantecCritical Attack Discovery and Intelligence Team
@online{team:20190327:elfin:d90a330, author = {Critical Attack Discovery and Intelligence Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-04-21} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33
2019-03-26Kaspersky LabsGReAT
@online{great:20190326:cryptocurrency:c95b701, author = {GReAT}, title = {{Cryptocurrency businesses still being targeted by Lazarus}}, date = {2019-03-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/}, language = {English}, urldate = {2019-12-20} } Cryptocurrency businesses still being targeted by Lazarus
Yort Lazarus Group
2019-03-20Github (649)@037
@online{037:20190320:apt38:4c7f1d4, author = {@037}, title = {{APT38 DYEPACK FRAMEWORK}}, date = {2019-03-20}, organization = {Github (649)}, url = {https://github.com/649/APT38-DYEPACK}, language = {English}, urldate = {2019-12-17} } APT38 DYEPACK FRAMEWORK
DYEPACK
2019-03-18DCSODCSO
@online{dcso:20190318:enterprise:ff92a62, author = {DCSO}, title = {{Enterprise Malware-as-a-Service: Lazarus Group and the Evolution of Ransomware}}, date = {2019-03-18}, organization = {DCSO}, url = {https://web.archive.org/web/20200922165625/https://dcso.de/2019/03/18/enterprise-malware-as-a-service/}, language = {English}, urldate = {2021-12-13} } Enterprise Malware-as-a-Service: Lazarus Group and the Evolution of Ransomware
Hermes
2019-03-12MalwarebytesWilliam Tsing
@online{tsing:20190312:advanced:e68d915, author = {William Tsing}, title = {{The Advanced Persistent Threat files: Lazarus Group}}, date = {2019-03-12}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/03/the-advanced-persistent-threat-files-lazarus-group/}, language = {English}, urldate = {2019-12-20} } The Advanced Persistent Threat files: Lazarus Group
Lazarus Group
2019-02-27SecureworksCTU Research Team
@online{team:20190227:peek:16c9160, author = {CTU Research Team}, title = {{A Peek into BRONZE UNION’s Toolbox}}, date = {2019-02-27}, organization = {Secureworks}, url = {https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox}, language = {English}, urldate = {2020-01-07} } A Peek into BRONZE UNION’s Toolbox
Ghost RAT HyperBro ZXShell
2019-02-19Check Point ResearchCheck Point
@online{point:20190219:north:2d1cfbe, author = {Check Point}, title = {{North Korea Turns Against New Targets?!}}, date = {2019-02-19}, organization = {Check Point Research}, url = {https://research.checkpoint.com/north-korea-turns-against-russian-targets/}, language = {English}, urldate = {2019-10-21} } North Korea Turns Against New Targets?!
KEYMARBLE
2019-01-31ESTsecurityAlyac
@online{alyac:20190131:lazarus:bbb47f8, author = {Alyac}, title = {{Lazarus APT Organization Attacks with Operation Extreme Job}}, date = {2019-01-31}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2105}, language = {Korean}, urldate = {2019-10-21} } Lazarus APT Organization Attacks with Operation Extreme Job
CoreDN
2019-01-30Cisco TalosEdmund Brumaghin, Paul Rascagnères, Jungsoo An
@online{brumaghin:20190130:fake:3499d4e, author = {Edmund Brumaghin and Paul Rascagnères and Jungsoo An}, title = {{Fake Cisco Job Posting Targets Korean Candidates}}, date = {2019-01-30}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html}, language = {English}, urldate = {2023-09-07} } Fake Cisco Job Posting Targets Korean Candidates
CoreDN JessieConTea
2019-01-29MITREMITRE ATT&CK
@online{attck:20190129:apt38:dcc2df5, author = {MITRE ATT&CK}, title = {{APT38}}, date = {2019-01-29}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0082}, language = {English}, urldate = {2022-07-13} } APT38
Lazarus Group
2019-01-23NSHC RedAlert LabsThreatRecon Team
@online{team:20190123:sectora01:963118e, author = {ThreatRecon Team}, title = {{SectorA01 Custom Proxy Utility Tool Analysis}}, date = {2019-01-23}, organization = {NSHC RedAlert Labs}, url = {https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/}, language = {English}, urldate = {2019-10-18} } SectorA01 Custom Proxy Utility Tool Analysis
FastCash
2019-01-22One Night in NorfolkNorfolk
@online{norfolk:20190122:lazarus:74b5983, author = {Norfolk}, title = {{A Lazarus Keylogger- PSLogger}}, date = {2019-01-22}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/a-lazarus-keylogger-pslogger/}, language = {English}, urldate = {2020-01-10} } A Lazarus Keylogger- PSLogger
PSLogger
2019-01-16ZDNetCatalin Cimpanu
@online{cimpanu:20190116:north:8f56bd0, author = {Catalin Cimpanu}, title = {{North Korean hackers infiltrate Chile's ATM network after Skype job interview}}, date = {2019-01-16}, organization = {ZDNet}, url = {https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/}, language = {English}, urldate = {2020-01-10} } North Korean hackers infiltrate Chile's ATM network after Skype job interview
Lazarus Group
2019-01-15FlashpointVitali Kremez
@online{kremez:20190115:disclosure:0e74c4e, author = {Vitali Kremez}, title = {{Disclosure of Chilean Redbanc Intrusion Leads to Lazarus Ties}}, date = {2019-01-15}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/}, language = {English}, urldate = {2019-08-08} } Disclosure of Chilean Redbanc Intrusion Leads to Lazarus Ties
PowerRatankba
2019-01-07IntezerIgnacio Sanmillan
@online{sanmillan:20190107:chinaz:50bb5f4, author = {Ignacio Sanmillan}, title = {{ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups}}, date = {2019-01-07}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/chinaz-relations/}, language = {English}, urldate = {2022-09-20} } ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups
Ghost RAT
2019DragosDragos
@online{dragos:2019:adversary:0237a20, author = {Dragos}, title = {{Adversary Reports}}, date = {2019}, organization = {Dragos}, url = {https://dragos.com/adversaries.html}, language = {English}, urldate = {2020-01-10} } Adversary Reports
ALLANITE APT33 CHRYSENE ENERGETIC BEAR Lazarus Group Sandworm
2019CISACISA
@online{cisa:2019:hidden:52ee565, author = {CISA}, title = {{HIDDEN COBRA - North Korean Malicious Cyber Activity}}, date = {2019}, organization = {CISA}, url = {https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity}, language = {English}, urldate = {2020-01-07} } HIDDEN COBRA - North Korean Malicious Cyber Activity
Lazarus Group
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:compromise:31bbbf4, author = {Cyber Operations Tracker}, title = {{Compromise of cryptocurrency exchanges in South Korea}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/compromise-cryptocurrency-exchanges-south-korea}, language = {English}, urldate = {2019-12-20} } Compromise of cryptocurrency exchanges in South Korea
Lazarus Group
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:operation:207fc18, author = {Cyber Operations Tracker}, title = {{Operation GhostSecret}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/operation-ghostsecret}, language = {English}, urldate = {2019-12-20} } Operation GhostSecret
Lazarus Group
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:covellite:a635ad6, author = {Cyber Operations Tracker}, title = {{Covellite}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/covellite}, language = {English}, urldate = {2019-12-20} } Covellite
Lazarus Group
2019-01Journal of Telecommunications and Information TechnologyMaxat Akbanov, Vassilios G. Vassilakis, Michael D. Logothetis
@techreport{akbanov:201901:wannacry:60d302c, author = {Maxat Akbanov and Vassilios G. Vassilakis and Michael D. Logothetis}, title = {{WannaCry Ransomware: Analysis of Infection, Persistence, Recovery Prevention and Propagation Mechanisms}}, date = {2019-01}, institution = {Journal of Telecommunications and Information Technology}, url = {https://www.il-pib.pl/czasopisma/JTIT/2019/1/113.pdf}, language = {English}, urldate = {2021-01-11} } WannaCry Ransomware: Analysis of Infection, Persistence, Recovery Prevention and Propagation Mechanisms
WannaCryptor
2019MITREMITRE ATT&CK
@online{attck:2019:lazarus:a298c2f, author = {MITRE ATT&CK}, title = {{Group description: Lazarus Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0032/}, language = {English}, urldate = {2019-12-20} } Group description: Lazarus Group
Lazarus Group
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:lazarus:f46916d, author = {Cyber Operations Tracker}, title = {{Lazarus Group}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/lazarus-group}, language = {English}, urldate = {2019-12-20} } Lazarus Group
Lazarus Group
2018-12-31Github RepositoryFrank Boldewin
@online{boldewin:20181231:fastcashmalwaredissected:d72e332, author = {Frank Boldewin}, title = {{FastCashMalwareDissected}}, date = {2018-12-31}, organization = {Github Repository}, url = {https://github.com/fboldewin/FastCashMalwareDissected/}, language = {English}, urldate = {2019-07-10} } FastCashMalwareDissected
FastCash
2018-12-12McAfeeRyan Sherstobitoff, Asheer Malhotra
@online{sherstobitoff:20181212:operation:df0b2d2, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure}}, date = {2018-12-12}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/}, language = {English}, urldate = {2020-01-13} } ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure
Rising Sun Lazarus Group Operation Sharpshooter
2018-11-20Trend MicroLenart Bermejo, Joelson Soares
@online{bermejo:20181120:lazarus:1d8d3b3, author = {Lenart Bermejo and Joelson Soares}, title = {{Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America}}, date = {2018-11-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/}, language = {English}, urldate = {2020-01-06} } Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America
BLINDTOAD
2018-11-17Youtube (Demonslay335)Michael Gillespie
@online{gillespie:20181117:analyzing:ecd5641, author = {Michael Gillespie}, title = {{Analyzing Ransomware - Beginner Static Analysis}}, date = {2018-11-17}, organization = {Youtube (Demonslay335)}, url = {https://www.youtube.com/watch?v=9nuo-AGg4p4}, language = {English}, urldate = {2021-12-13} } Analyzing Ransomware - Beginner Static Analysis
Hermes
2018-11-08SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181108:fastcash:acf8e38, author = {Critical Attack Discovery and Intelligence Team}, title = {{FASTCash: How the Lazarus Group is Emptying Millions from ATMs}}, date = {2018-11-08}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware}, language = {English}, urldate = {2020-04-21} } FASTCash: How the Lazarus Group is Emptying Millions from ATMs
FastCash Lazarus Group
2018-11-08SymantecSecurity Response Attack Investigation Team
@online{team:20181108:fastcash:ee26edb, author = {Security Response Attack Investigation Team}, title = {{FASTCash: How the Lazarus Group is Emptying Millions from ATMs}}, date = {2018-11-08}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware}, language = {English}, urldate = {2022-05-03} } FASTCash: How the Lazarus Group is Emptying Millions from ATMs
FastCash Lazarus Group
2018-10-08Youtube VideoSaher Naumaan
@online{naumaan:20181008:bsides:26586e2, author = {Saher Naumaan}, title = {{BSides Belfast 2018: Lazarus On The Rise: Insights From SWIFT Bank Attacks}}, date = {2018-10-08}, organization = {Youtube Video}, url = {https://youtu.be/_kzFNQySEMw?t=789}, language = {English}, urldate = {2019-10-15} } BSides Belfast 2018: Lazarus On The Rise: Insights From SWIFT Bank Attacks
NESTEGG
2018-10-03Virus BulletinPeter Kálnai, Michal Poslušný
@techreport{klnai:20181003:lazarus:bebf0ad, author = {Peter Kálnai and Michal Poslušný}, title = {{Lazarus Group A Mahjong Game Played with Different Sets of Tiles}}, date = {2018-10-03}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf}, language = {English}, urldate = {2023-08-31} } Lazarus Group A Mahjong Game Played with Different Sets of Tiles
Bankshot BanPolMex RAT FuwuqiDrama HOTWAX KillDisk (Lazarus) NACHOCHEESE REDSHAWL WannaCryptor
2018-10-02US-CERTUS-CERT
@online{uscert:20181002:alert:c29ba37, author = {US-CERT}, title = {{Alert (TA18-275A) HIDDEN COBRA: FASTCash Campaign}}, date = {2018-10-02}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA18-275A}, language = {English}, urldate = {2020-01-13} } Alert (TA18-275A) HIDDEN COBRA: FASTCash Campaign
FastCash
2018-10-02CISADepartment of Homeland Security (DHS), Department of the Treasury (Treasury), FBI
@online{dhs:20181002:alert:6e24ac4, author = {Department of Homeland Security (DHS) and Department of the Treasury (Treasury) and FBI}, title = {{Alert (TA18-275A): HIDDEN COBRA – FASTCash Campaign}}, date = {2018-10-02}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/TA18-275A}, language = {English}, urldate = {2022-04-20} } Alert (TA18-275A): HIDDEN COBRA – FASTCash Campaign
FastCash
2018-10-01Youtube (FireEye Inc.)Christopher DiGiamo, Nalani Fraser, Jacqueline O’Leary
@online{digiamo:20181001:cds:a580f8f, author = {Christopher DiGiamo and Nalani Fraser and Jacqueline O’Leary}, title = {{CDS 2018 | Unmasking APT X}}, date = {2018-10-01}, organization = {Youtube (FireEye Inc.)}, url = {https://youtu.be/8hJyLkLHH8Q?t=1208}, language = {English}, urldate = {2020-01-06} } CDS 2018 | Unmasking APT X
NESTEGG
2018-09-19Möbius Strip Reverse EngineeringRolf Rolles
@online{rolles:20180919:hexrays:1afcc0c, author = {Rolf Rolles}, title = {{Hex-Rays Microcode API vs. Obfuscating Compiler}}, date = {2018-09-19}, organization = {Möbius Strip Reverse Engineering}, url = {http://www.hexblog.com/?p=1248}, language = {English}, urldate = {2019-10-28} } Hex-Rays Microcode API vs. Obfuscating Compiler
Ghost RAT
2018-09-06Department of JusticeOffice of Public Affairs
@online{affairs:20180906:north:9b30dd0, author = {Office of Public Affairs}, title = {{North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions}}, date = {2018-09-06}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and}, language = {English}, urldate = {2020-01-07} } North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions
Lazarus Group
2018-08-27DARKReadingJai Vijayan
@online{vijayan:20180827:north:97ee4d4, author = {Jai Vijayan}, title = {{North Korean Hacking Group Steals $13.5 Million From Indian Bank}}, date = {2018-08-27}, organization = {DARKReading}, url = {https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678}, language = {English}, urldate = {2020-01-13} } North Korean Hacking Group Steals $13.5 Million From Indian Bank
Lazarus Group
2018-08-23Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20180823:lazarus:e929232, author = {Catalin Cimpanu}, title = {{Lazarus Group Deploys Its First Mac Malware in Cryptocurrency Exchange Hack}}, date = {2018-08-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lazarus-group-deploys-its-first-mac-malware-in-cryptocurrency-exchange-hack/}, language = {English}, urldate = {2019-12-20} } Lazarus Group Deploys Its First Mac Malware in Cryptocurrency Exchange Hack
Lazarus Group
2018-08-23Kaspersky LabsGReAT
@online{great:20180823:operation:c1011d3, author = {GReAT}, title = {{Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware}}, date = {2018-08-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus/87553/}, language = {English}, urldate = {2019-12-20} } Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware
AppleJeus Volgmer Lazarus Group
2018-08-09CISACISA
@online{cisa:20180809:malware:71c0559, author = {CISA}, title = {{Malware Analysis Report (AR18-221A)}}, date = {2018-08-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-221A}, language = {English}, urldate = {2020-01-07} } Malware Analysis Report (AR18-221A)
KEYMARBLE
2018-07-30ProofpointProofpoint Staff
@online{staff:20180730:new:07c5e76, author = {Proofpoint Staff}, title = {{New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign}}, date = {2018-07-30}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside}, language = {English}, urldate = {2021-12-13} } New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign
Azorult Hermes
2018-07-26IEEE Symposium on Security and Privacy (SP)Danny Yuxing Huang, Maxwell Matthaios Aliapoulios, Vector Guo Li, Luca Invernizzi, Kylie McRoberts, Elie Bursztein, Jonathan Levin, Kirill Levchenko, Alex C. Snoeren, Damon McCoy
@techreport{huang:20180726:tracking:b51d0ee, author = {Danny Yuxing Huang and Maxwell Matthaios Aliapoulios and Vector Guo Li and Luca Invernizzi and Kylie McRoberts and Elie Bursztein and Jonathan Levin and Kirill Levchenko and Alex C. Snoeren and Damon McCoy}, title = {{Tracking Ransomware End-to-end}}, date = {2018-07-26}, institution = {IEEE Symposium on Security and Privacy (SP)}, url = {https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf}, language = {English}, urldate = {2021-04-16} } Tracking Ransomware End-to-end
Cerber Locky WannaCryptor
2018-06-23AhnLabAhnLab
@techreport{ahnlab:20180623:full:dced6a4, author = {AhnLab}, title = {{Full Discloser of Andariel, A Subgroup of Lazarus Threat Group}}, date = {2018-06-23}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf}, language = {English}, urldate = {2019-12-24} } Full Discloser of Andariel, A Subgroup of Lazarus Threat Group
PhanDoor Rifdoor
2018-06-13AcalvioTeam Acalvio
@online{acalvio:20180613:lateral:ab17115, author = {Team Acalvio}, title = {{Lateral Movement Technique Employed by Hidden Cobra}}, date = {2018-06-13}, organization = {Acalvio}, url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/}, language = {English}, urldate = {2020-01-13} } Lateral Movement Technique Employed by Hidden Cobra
Brambul Joanap
2018-06-13ThreatpostTara Seals
@online{seals:20180613:banco:4861a7b, author = {Tara Seals}, title = {{Banco de Chile Wiper Attack Just a Cover for $10M SWIFT Heist}}, date = {2018-06-13}, organization = {Threatpost}, url = {https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/}, language = {English}, urldate = {2020-01-13} } Banco de Chile Wiper Attack Just a Cover for $10M SWIFT Heist
Lazarus Group
2018-06-08United States District Court (California)Nathan P. Shields, Rozella A. Oliver
@online{shields:20180608:complaint:8b4b2dc, author = {Nathan P. Shields and Rozella A. Oliver}, title = {{Complaint against Jin Hyok Park}}, date = {2018-06-08}, organization = {United States District Court (California)}, url = {https://www.documentcloud.org/documents/4834259-Park-Jin-Hyok-Complaint.html}, language = {English}, urldate = {2020-01-08} } Complaint against Jin Hyok Park
NESTEGG
2018-06-07Trend MicroFernando Mercês
@online{mercs:20180607:new:760f179, author = {Fernando Mercês}, title = {{New KillDisk Variant Hits Latin American Financial Organizations Again}}, date = {2018-06-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-latin-american-financial-organizations-again/}, language = {English}, urldate = {2020-01-09} } New KillDisk Variant Hits Latin American Financial Organizations Again
BOOTWRECK
2018-05-29BloombergMichelle Davis
@online{davis:20180529:mexico:d40bc2d, author = {Michelle Davis}, title = {{Mexico Foiled a $110 Million Bank Heist, Then Kept It a Secret}}, date = {2018-05-29}, organization = {Bloomberg}, url = {https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret}, language = {English}, urldate = {2020-01-07} } Mexico Foiled a $110 Million Bank Heist, Then Kept It a Secret
Lazarus Group
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:mar101355363:6ee74d8, author = {US-CERT}, title = {{MAR-10135536-3 - HIDDEN COBRA RAT/Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-149A}, language = {English}, urldate = {2019-10-13} } MAR-10135536-3 - HIDDEN COBRA RAT/Worm
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:alert:9ab63c1, author = {US-CERT}, title = {{Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA18-149A}, language = {English}, urldate = {2020-01-10} } Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Brambul Joanap
2018-05-03McAfeeRyan Sherstobitoff, Itai Liba, James Walter
@techreport{sherstobitoff:20180503:dissecting:13102f0, author = {Ryan Sherstobitoff and Itai Liba and James Walter}, title = {{Dissecting Operation Troy: Cyberespionage in South Korea}}, date = {2018-05-03}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf}, language = {English}, urldate = {2020-01-10} } Dissecting Operation Troy: Cyberespionage in South Korea
concealment_troy http_troy Lazarus Group
2018-04-27Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20180427:north:b7ed973, author = {Catalin Cimpanu}, title = {{North Korean Hackers Are up to No Good Again}}, date = {2018-04-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/}, language = {English}, urldate = {2019-12-20} } North Korean Hackers Are up to No Good Again
Lazarus Group
2018-04-24McAfeeRyan Sherstobitoff
@online{sherstobitoff:20180424:analyzing:4383088, author = {Ryan Sherstobitoff}, title = {{Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide}}, date = {2018-04-24}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/}, language = {English}, urldate = {2023-02-27} } Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide
GhostSecret
2018-04-24McAfeeRyan Sherstobitoff, Asheer Malhotra
@online{sherstobitoff:20180424:analyzing:9aac21f, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide}}, date = {2018-04-24}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/}, language = {English}, urldate = {2020-01-10} } Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide
Lazarus Group
2018-04-20NCC GroupNikolaos Pantazopoulos
@online{pantazopoulos:20180420:decoding:b4ca1d1, author = {Nikolaos Pantazopoulos}, title = {{Decoding network data from a Gh0st RAT variant}}, date = {2018-04-20}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/}, language = {English}, urldate = {2022-10-07} } Decoding network data from a Gh0st RAT variant
Ghost RAT APT27
2018-04-17NCC GroupNikolaos Pantazopoulos
@online{pantazopoulos:20180417:decoding:7d5f713, author = {Nikolaos Pantazopoulos}, title = {{Decoding network data from a Gh0st RAT variant}}, date = {2018-04-17}, organization = {NCC Group}, url = {https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/}, language = {English}, urldate = {2022-09-20} } Decoding network data from a Gh0st RAT variant
Ghost RAT APT27
2018-04-03ESET ResearchPeter Kálnai, Anton Cherepanov
@online{klnai:20180403:lazarus:14ff18c, author = {Peter Kálnai and Anton Cherepanov}, title = {{Lazarus KillDisks Central American casino}}, date = {2018-04-03}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/}, language = {English}, urldate = {2023-03-27} } Lazarus KillDisks Central American casino
KillDisk (Lazarus) Lazarus Group
2018-03-28IntezerJay Rosenberg
@online{rosenberg:20180328:lazarus:307e39e, author = {Jay Rosenberg}, title = {{Lazarus Group Targets More Cryptocurrency Exchanges and FinTech Companies}}, date = {2018-03-28}, organization = {Intezer}, url = {http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/}, language = {English}, urldate = {2019-11-27} } Lazarus Group Targets More Cryptocurrency Exchanges and FinTech Companies
Unidentified 042
2018-03-14Malwarebytes Labshasherezade, Jérôme Segura, Vasilios Hioureas
@online{hasherezade:20180314:hermes:45a9a60, author = {hasherezade and Jérôme Segura and Vasilios Hioureas}, title = {{Hermes ransomware distributed to South Koreans via recent Flash zero-day}}, date = {2018-03-14}, organization = {Malwarebytes Labs}, url = {https://www.malwarebytes.com/blog/news/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day}, language = {English}, urldate = {2023-06-01} } Hermes ransomware distributed to South Koreans via recent Flash zero-day
Hermes
2018-03-08McAfeeRyan Sherstobitoff, Asheer Malhotra, Charles Crawford, Jessica Saavedra-Morales
@online{sherstobitoff:20180308:hidden:c1459ef, author = {Ryan Sherstobitoff and Asheer Malhotra and Charles Crawford and Jessica Saavedra-Morales}, title = {{Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant}}, date = {2018-03-08}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/}, language = {English}, urldate = {2019-10-14} } Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant
Lazarus Group
2018-03Kaspersky LabsKaspersky Lab Global Research, Analysis Team
@techreport{research:201803:lazarus:9dd4571, author = {Kaspersky Lab Global Research and Analysis Team}, title = {{Lazarus under the Hood}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180231/LazarusUnderTheHood_PDF_final_for_securelist.pdf}, language = {English}, urldate = {2019-11-28} } Lazarus under the Hood
NESTEGG
2018-03Kaspersky LabsKaspersky Lab
@techreport{lab:201803:lazarus:3fd5ac4, author = {Kaspersky Lab}, title = {{Lazarus under the Hood}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf}, language = {English}, urldate = {2020-01-07} } Lazarus under the Hood
BlueNoroff HOTWAX REDSHAWL WORMHOLE
2018-03-01DragosDragos
@techreport{dragos:20180301:industrial:6e4e898, author = {Dragos}, title = {{INDUSTRIAL CONTROL SYSTEM THREATS}}, date = {2018-03-01}, institution = {Dragos}, url = {https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf}, language = {English}, urldate = {2020-01-08} } INDUSTRIAL CONTROL SYSTEM THREATS
APT33 CHRYSENE ENERGETIC BEAR Lazarus Group Sandworm
2018-02-12McAfeeRyan Sherstobitoff, Asheer Malhotra, Jessica Saavedra-Morales, Thomas Roccia
@online{sherstobitoff:20180212:lazarus:0c034e1, author = {Ryan Sherstobitoff and Asheer Malhotra and Jessica Saavedra-Morales and Thomas Roccia}, title = {{Lazarus Resurfaces, Targets Global Banks and Bitcoin Users}}, date = {2018-02-12}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/}, language = {English}, urldate = {2020-10-28} } Lazarus Resurfaces, Targets Global Banks and Bitcoin Users
CoreDN
2018-02-11SymantecLing Zhou
@online{zhou:20180211:technical:56dd35c, author = {Ling Zhou}, title = {{Technical Description: Downloader.Jelous}}, date = {2018-02-11}, organization = {Symantec}, url = {https://www.symantec.com/security-center/writeup/2018-021216-4405-99#technicaldescription}, language = {English}, urldate = {2020-01-13} } Technical Description: Downloader.Jelous
CoreDN
2018-02-05US-CERTUnknown Unknown
@techreport{unknown:20180205:hidden:3e1e07e, author = {Unknown Unknown}, title = {{HIDDEN COBRA - North Korean Malicious Cyber Activity}}, date = {2018-02-05}, institution = {US-CERT}, url = {https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf}, language = {English}, urldate = {2019-12-20} } HIDDEN COBRA - North Korean Malicious Cyber Activity
HARDRAIN HARDRAIN
2018-02-01BitdefenderBitdefender Team
@techreport{team:20180201:operation:e76f179, author = {Bitdefender Team}, title = {{Operation PZCHAO Inside a highly specialized espionage infrastructure}}, date = {2018-02-01}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/185/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf}, language = {English}, urldate = {2022-09-20} } Operation PZCHAO Inside a highly specialized espionage infrastructure
Ghost RAT APT27
2018-01-29ProofpointDarien Huss
@techreport{huss:20180129:north:438b45d, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug}}, date = {2018-01-29}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug-180129.pdf}, language = {English}, urldate = {2020-01-05} } North Korea Bitten by Bitcoin Bug
Bitsran
2018-01-24Trend MicroTrendmicro
@online{trendmicro:20180124:look:fa400c7, author = {Trendmicro}, title = {{A Look into the Lazarus Group’s Operations}}, date = {2018-01-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations}, language = {English}, urldate = {2019-12-04} } A Look into the Lazarus Group’s Operations
Lazarus Group
2018-01-24Trend MicroCH Lei, Fyodor Yarochkin, Lenart Bermejo, Philippe Z Lin, Razor Huang
@online{lei:20180124:lazarus:63d2701, author = {CH Lei and Fyodor Yarochkin and Lenart Bermejo and Philippe Z Lin and Razor Huang}, title = {{Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More}}, date = {2018-01-24}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/}, language = {English}, urldate = {2020-01-08} } Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More
PowerRatankba
2018-01-15Trend MicroGilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira
@online{sison:20180115:new:15ece8f, author = {Gilbert Sison and Rheniel Ramos and Jay Yaneza and Alfredo Oliveira}, title = {{New KillDisk Variant Hits Financial Organizations in Latin America}}, date = {2018-01-15}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/}, language = {English}, urldate = {2023-03-27} } New KillDisk Variant Hits Financial Organizations in Latin America
KillDisk (Lazarus) Lazarus Group
2018-01-04Malware Traffic AnalysisBrad Duncan
@online{duncan:20180104:malspam:ce2dfac, author = {Brad Duncan}, title = {{MALSPAM PUSHING PCRAT/GH0ST}}, date = {2018-01-04}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2018/01/04/index.html}, language = {English}, urldate = {2019-12-24} } MALSPAM PUSHING PCRAT/GH0ST
Ghost RAT
2018-01-01McAfeeRyan Sherstobitoff, Itai Liba, James Walter
@techreport{sherstobitoff:20180101:dissecting:73712a7, author = {Ryan Sherstobitoff and Itai Liba and James Walter}, title = {{Dissecting Operation Troy: Cyberespionage in South Korea}}, date = {2018-01-01}, institution = {McAfee}, url = {http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf}, language = {English}, urldate = {2019-10-15} } Dissecting Operation Troy: Cyberespionage in South Korea
Lazarus Group
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
2018FireEyeFireEye
@techreport{fireeye:2018:apt38:c81b87d, author = {FireEye}, title = {{APT38}}, date = {2018}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf}, language = {English}, urldate = {2020-01-07} } APT38
CHEESETRAY CLEANTOAD NACHOCHEESE
2017-12-20RiskIQYonathan Klijnsma
@online{klijnsma:20171220:mining:4b3dc11, author = {Yonathan Klijnsma}, title = {{Mining Insights: Infrastructure Analysis of Lazarus Group Cyber Attacks on the Cryptocurrency Industry}}, date = {2017-12-20}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/}, language = {English}, urldate = {2020-01-13} } Mining Insights: Infrastructure Analysis of Lazarus Group Cyber Attacks on the Cryptocurrency Industry
PowerRatankba
2017-12-19ProofpointDarien Huss
@online{huss:20171219:north:e5ef6da, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group}}, date = {2017-12-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new}, language = {English}, urldate = {2019-12-20} } North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group
Ghost RAT
2017-12-19ProofpointDarien Huss
@techreport{huss:20171219:north:b2da03e, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug}}, date = {2017-12-19}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf}, language = {English}, urldate = {2019-10-18} } North Korea Bitten by Bitcoin Bug
QUICKCAFE PowerSpritz Ghost RAT